IPTABLES - IP Restricted Port Forwarding for RDP

Question

I can't find an answered question for this problem.

I have about 7 ranges of IP address i would like to allow to RDP(port 3389) to a a server within my network.

My main router uses iptables and i cant seem to figure out what the right combination is ...

this is the closest i've gotten which doesnt seem to work

iptables -t filter -l FORWARD -d 192.168.x.xx -p tcp -m iprange --src-range xx.xxx.xxx.100-xxx.xxx.xxx.200 --dport 3389 -j ACCEPT

What is the correct way of doing this...

UPDATE:

I have found a solution to the problem. Please see answer below for my solution

Duplicate of: http://serverfault.com/questions/6989/iptables-multiple-source-ips . There's everything you need. — Michal Sokolowski, Jun 27 '16 at 22:04
This doesnt answer any of my question... how is it a duplicate? I've already seen that answer.... — Mike Pengelly, Jun 27 '16 at 22:07
There you are: you cannot use `-m iprange --src-range` for that. `iptables v1.4.21: iprange: option "--src-range" can only be used once. ` — Michal Sokolowski, Jun 27 '16 at 22:08
But i do not want to allow the whole /24 block ... and i only want to forward one protocol — Mike Pengelly, Jun 27 '16 at 22:10
You don't have to: `iptables -t filter -A INPUT -s 192.168.1.0/28,192.168.1.8/31,192.168.1.10/32 -p tcp --dport 3389 -j ACCEPT`, but chains are better for this. — Michal Sokolowski, Jun 27 '16 at 22:14
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/41743/discussion-between-mike-pengelly-and-michal-sokolowski). — Mike Pengelly, Jun 27 '16 at 22:44

Mike Pengelly · Answer 1 · 2016-06-29T15:32:54.683

So this is the definitive answer i was looking for.

You first need to set NAT (prerouting) rule to redirect the traffic to the correct server/computer. Done like this...

iptables -t nat -A PREROUTING -p tcp -s yy.yy.yy.0/24 --dport 3389 -j DNAT --to-destination 192.168.1.xx:3389

Then you need a Filter (FORWARD) Rule to allow the traffic to flow to the destination like this...

iptables -t filter -I FORWARD -s yy.yy.yy.0/24 -d 192.168.1.xx -p tcp --dport 3389 -j ACCEPT

Note:

yy.yy.yy.0/24 is the IP block you would like to allow ... See https://www.aelius.com/njh/subnet_sheet.html for help with subnets.

192.168.1.xx is the destination server in your local LAN.

Ipset make whitelisting and blacklisting much easier especially for large number of up addresses. — rjt, Jul 01 '16 at 04:08

1 Answers1