1
I want to be able to rdp into my server behind squid3 proxy (on ubuntu).
This is a windows 2000 server and is used for testing. I need it behind a proxy so that it is off my normal network as it is a testing server.
My programmer needs to be able to log into the test server to test updates to the software we use.
How can I get the RDP port to be fwd'd through the proxy to my virtualbox win2k server guest?
user277244
Posted 2014-02-06T20:28:13.073
Reputation: 251
1
I'm assuming for the machine that is behind the proxy, that it's only path out to the Internet is via the proxy. So you are not able to receive incoming connections, and only make outgoing ones through an HTTP proxy.
It's a bit complex, but setting up a VPN via OpenVPN might help. There are HTTP proxy options for OpenVPN clients which may allow it to connect to an OpenVPN server that you operate outside of the network.
This system that you want to RDP into, you must set it up as an OpenVPN client. Use the http-proxy options as explained here.
On the server side, you'll want to do this (which will require you to set up server and client certificates - using xca to do this may be easier than following the steps in the OpenVPN documentation) to make sure the client, which is the system you want to RDP into, always receives the same VPN IP.
Once both client and server are active and connected, from the server machine which is outside of this network, you ought to be able to mstsc /v:{VPN-IP} from the Windows "Run" dialog to reach it.
If you don't want to install OpenVPN on the Win2k server directly, install it on another system behind the proxy on the same network and then once you are RDP'ed into this intermediate system, RDP from there to the WIn2k server. Windows 7 and 8 handle "cascaded" RDP a bit better than XP IMHO.
LawrenceC
Posted 2014-02-06T20:28:13.073
Reputation: 63 487
0
If you use Squid as transparent proxy and have no need for IPSec you can use iptables to do DNAT.
Suppose the win2k server has the address 10.10.10.10 and uses the standard RDP port this rule should pass the RDP traffic:
iptables -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to 10.10.10.10:3389
If you want extra security you can also specify which interfaces/clients/networks are allowed to connect.
Examples:
only allow eth0
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 3389 -j DNAT --to 10.10.10.10:3389
only allow ip 10.10.100.100
iptables -t nat -A PREROUTING -p tcp -s 10.10.100.100 --dport 3389 -j DNAT --to 10.10.10.10:3389
similarly, only allow connections from a specific network
iptables -t nat -A PREROUTING -p tcp -s 10.0.0.0/8 --dport 3389 -j DNAT --to 10.10.10.10:3389
In the unlikely case your win2k server does not have a static ip you need to add this rule also:
iptables -t nat -A POSTROUTING -p tcp --dport 3389 -j MASQUERADE
Read up here for a very understandable explanation of NAT and DNAT
Jake
Posted 2014-02-06T20:28:13.073
Reputation: 398
Hmm, it didn't work. IPTABLES took the rule, but I still can't rdp into the windows 2000 server. My router has port fwd'ing set to the eth1 ip of the linux computer with squid. Any other ideas? – user277244 – 2014-02-08T03:45:58.600
Is forwarding enabled? It is not by default, to enable it enter this in your terminal: echo 1 > /proc/sys/net/ipv4/ip_forward – Jake – 2014-02-08T14:27:47.817
"Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research." – Ƭᴇcʜιᴇ007 – 2014-02-06T20:29:47.707