What iptable cmd shows port forward from GUI?

[Goobi]

This is a two part question. I want to open a port to allow a work colleague access a server during work hours only, so I want to create a cron that will open and close the port at the beginning and end of work.

What iptable syntax will show me the port forward I set up via the GUI? I tried using iptable -L but don’t see it but I know it is there as I can access the server remotely.

The second question is how to I go about deleting the rule?

I guess I have a third question, is there another command I got to run to add then later delete a firewall rule?

Apologies for the noob questions as I am not well versed on iptable and don’t want to mess anything up.

Thanks in advance.

 

[kfp]

What iptable syntax will show me the port forward I set up via the GUI? I tried using iptable -L but don’t see it but I know it is there as I can access the server remotely.

How did you open the port? Command line or via web GUI?

Where exactly are you trying the iptables command? Perhaps you had a typo? Just basing on the wrong spelling throughout this post.

The second question is how to I go about deleting the rule?

Didn’t you say you used cron? Then also use cron to delete it? If you opened the port using the web GUI, then delete it there.

is there another command I got to run to add then later delete a firewall rule?

Didn’t you just said you used cron? Though you can accomplish what you want with a single iptables rule using the time module

Here I am assuming Monday-Friday 9AM-5PM, and that the protocol is TCP

iptables -A INPUT -i eth0 -s <coworker IP> -d <server IP> -p tcp --dport <server port> -m time --weekdays 1,2,3,4,5 --timestart 09:00 --timestop 17:00 -j ACCEPT

Read more about the time module here:
http://ipset.netfilter.org/iptables-extensions.man.html#lbCH

 

[ColinTaylor]

The GUI port forwarding uses the VSERVER chain in the nat table which is why you didn't see it. Try the following:

# iptables-save -t nat | grep VSERVER
:
-A VSERVER -p tcp -m tcp --dport 12345 -j DNAT --to-destination 192.168.1.50:23456
:

So you could use cron to add and remove that rule as required. Use "cru" for that (see the built-in help or the wiki). But @kfp's suggestion to use the "time" parameter is probably better, although it won't work as it stands. Use something like this, changing the port/IP numbers as appropriate:

# iptables -t nat -A VSERVER -p tcp --dport 12345 -m time --timestart 07:00 --timestop 14:00 --weekdays 1,2,3,4,5 --kerneltz -j DNAT --to-destination 192.168.1.50:23456

You can then put this in a nat-start user script.

 

[Goobi]

The GUI port forwarding uses the VSERVER chain in the nat table which is why you didn't see it. Try the following:

# iptables-save -t nat | grep VSERVER
:
-A VSERVER -p tcp -m tcp --dport 12345 -j DNAT --to-destination 192.168.1.50:23456
:

So you could use cron to add and remove that rule as required. Use "cru" for that (see the built-in help or the wiki). But @kfp's suggestion to use the "time" parameter is probably better, although it won't work as it stands. Use something like this, changing the port/IP numbers as appropriate:

# iptables -t nat -A VSERVER -p tcp --dport 12345 -m time --timestart 07:00 --timestop 14:00 --weekdays 1,2,3,4,5 --kerneltz -j DNAT --to-destination 192.168.1.50:23456

You can then put this in a nat-start user script.

Thanks, exactly what I was looking for!