How to proxy windows TCP port (that is under NAT) via linux with public IP?

Question

I have a server (where I am administrator) to which I can connect via MSTSC.exe from windows under NAT. server is under NAT. I have ssh and sudo rights to Linux server with public IP to open ports 2k and above and install software. Using what software I could forward my windows port thrue linux server?

Answer 1

There are several ways to do it:

The quickest way (for temporary use) is to use a ssh client like putty. You connect to your linux box and add a tunnel rule.

Doing it on the linux box, you're goal is to enable ip forwarding on the linux box as well as adding a firewall rule that redirects traffic from an unused highport to your windows rdp port (which is 3389). The command of choice is iptables. With that you can add network rules to the linux kernel. It is suggested to use high ports on your public interface to prevent script kiddies from scanning default ports.

First, enable ip forwarding (if not enabled already):

Temporary:

sysctl -w net.ipv4.ip_forward=1

Then add a firewall rule using iptables:

Lets say: eth0 is internal with 192.168.1.0/24 network, eth1 external with ip 1.2.3.4

sudo iptables -t nat -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 3389 -j DNAT --to 192.168.16.1:3389 

If the external highport shall be 12345 you may define this iptables rule

sudo iptables -t nat -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 12345 -j DNAT --to 192.168.16.1:3389 

To check your NAT rules use following command: sudo iptables -L -nv -t nat

Permanently:

sudo nano /etc/sysctl.conf

and add following line:

net.ipv4.ip_forward=1

Restart sysctl with

sudo sysctl -p

To permanently add the iptables rule, you may create a firewall init script on your linux box (if not already there) and hang it into the runlevel your linux box is already running in.

You may Google also 'Linux iptables NAT', 'port forwarding' and similar. There is a lot of documentation out there - even for rdp.