Forwarding RDP via a Linux machine using iptables: Not working

Posted by Nimmy Lebby on Server Fault See other posts from Server Fault or by Nimmy Lebby
Published on 2010-12-08T06:54:59Z Indexed on 2010/12/29 9:55 UTC
Read the original article Hit count: 363

I have a Linux machine and a Windows machine behind a router that implements NAT (the diagram might be overkill, but was fun to make):

network setup

I am forwarding RDP port (3389) on the router to the Linux machine because I want to audit RDP connections. For the Linux machine to forward RDP traffic, I wrote these iptables rules:

iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to-destination win-box
iptables -A FORWARD -p tcp --dport 3389 -j ACCEPT

The port is listening on the Windows machine:

C:\Users\nimmy>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  (..snip..)
  TCP    0.0.0.0:3389           WIN-BOX:0         LISTENING
  (..snip..)

And the port is forwarding on the Linux machine:

# tcpdump port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
01:33:11.451663 IP shieldsup.grc.com.56387 > linux-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0
01:33:11.451846 IP shieldsup.grc.com.56387 > win-box.myapt.lan.ms-wbt-server: Flags [S], seq 94663035, win 8192, options [mss 1460], length 0

However, I am not getting any successful RDP connections from the outside. The port is not even responding:

C:\Users\outside-nimmy>telnet example.com 3389
Connecting To example.com...Could not open connection to the host, on port 3389: Connect failed

Any ideas?

Update

Per @Zhiqiang Ma, I looked at nf_conntrack proc file during a connection attempt and this is what I see (192.168.3.1 = linux-box, 192.168.3.5 = win-box):

# cat /proc/net/nf_conntrack | grep 3389
ipv4     2 tcp      6 118 SYN_SENT src=4.79.142.206 dst=192.168.3.1 sport=43142 dport=3389 packets=6 bytes=264 [UNREPLIED] src=192.168.3.5 dst=4.79.142.206 sport=3389 dport=43142 packets=0 bytes=0 mark=0 secmark=0 zone=0 use=2

2nd update

Got tcpdump on the router and it seems that win-box is sending an RST packet:

21:20:24.767792 IP shieldsup.grc.com.45349 > linux-box.myapt.lan.3389: S 19088743:19088743(0) win 8192 <mss 1460>
21:20:24.768038 IP shieldsup.grc.com.45349 > win-box.myapt.lan.3389: S 19088743:19088743(0) win 8192 <mss 1460>
21:20:24.770674 IP win-box.myapt.lan.3389 > shieldsup.grc.com.45349: R 721745706:721745706(0) ack 755785049 win 0

Why would Windows be doing this?

© Server Fault or respective owner

Related posts about linux

Related posts about Windows