I am using WireGuard (WG) as a VPN and only routing certain port based traffic over it. On the ingress side of the tunnel the traffic first hits eth0 then goes on to the WG TUN interface, wg0, so the following rule works for forwarding on ingress:
-A PREROUTING -d 192.#.#.# -i eth0 -p tcp -m tcp --dport 7054 -j DNAT --to-destination 10.#.#.#:7054
However I can not get traffic routed from TUN interface to eth0 on the egress side of the tunnel with the following rule, I think due to the "tunnel" being virtual and the traffic first must cross eth0 so PREROUTING is not valid??? I am not sure how to think about the TUN interface with regards to the routing sequence, i.e. is this still PREROUTEING or POSTROUTING or somewhere in the middle?
-A PREROUTING -d 10.#.#.# -i wg0 -p tcp -m tcp --dport 7054 -j DNAT --to-destination 192.#.#.#:7054
I tried the following to see if PREROUTING would then work for the wg0 interface but it did not. I also tried this with POSTROUTING, but not the solution.
iptables -t raw -A PREROUTING -i eth0 -j NOTRACK
Related
I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?
I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200
I want the following rules to forward tcp packets
from 127.0.0.1:32770 to 172.17.0.36:1000
and forward packets from 127.0.0.1:32771 to 172.17.0.36:10001
and forward packets from 127.0.0.1:32772 to 172.17.0.36:10002
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002
But currently it can forward all packets from 127.0.0.1:32770-32771 to any one of 172.17.0.36:1000-1002
I've struggled a lot to find this and finally found a solution that absolutely works, the command in your case would be:
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002/32770
Here, 32770 is the base-port, and the mapping will start from there, for example:
32770 -> 172.17.0.36:1000
32771 -> 172.17.0.36:1001
Now, let's say the incoming range and outgoing range are not equal:
iptables -t nat -I PREROUTING -p tcp --dport 30000:30199 -j DNAT --to 10.1.1.1:40000-40099/30000
In the above case, the DNAT mapping will round itself like this:
30000 -> 10.1.1.1:40000
30001 -> 10.1.1.1:40001
...
30099 -> 10.1.1.1:40099
30100 -> 10.1.1.1:40000
30101 -> 10.1.1.1:40001
...
30199 -> 10.1.1.1:40099
The support for base-port based 1:1 port mapping in DNAT was added in 2018.
Please refer below link:
http://git.netfilter.org/iptables/commit/?id=36976c4b54061b0147d56892ac9d402dae3069df
I have seen this working in Linux kernel 4.19 and above.
I am trying to setup a cloud server as a gateway, which forwards all traffic to my second cloud server. The problem is that the destination server (2nd cloud) only sees the IP address of the first cloud server.
Is it possible to keep the source IP so it would show the IP address of the one connecting to the first cloud server. I have tried removing MASQUERADE, but the connection between cloud #1 -> cloud #2 did not work properly anymore.
-A FORWARD -p tcp -m tcp --dport 25565 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25565 -j DNAT --to-destination DESTINATIONIP:PORT
-A POSTROUTING -j MASQUERADE
It works with this setup, but does not show the source IP. Have you got any idea on how to not hide the IP that is connecting to the first cloud server?
Thanks
cloud 1 and 2 need to be in same network, a VPN is fine
on cloud1:
-A FORWARD -p tcp -m tcp --dport 25565 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25565 -j DNAT --to-destination DESTINATIONIP:PORT
-A POSTROUTING -j MASQUERADE
on cloud2, we mark the desired packet with 1, eth0 is the default gateway:
iptables -t mangle -A OUTPUT -o eth0 -p tcp --sport 25565 -j MARK --set-mark 1
you need to manipulate the routing table on cloud2:
edit /etc/iproute2/rt_tables, add the line
1 http
here the manipulation, tun0 is the vpn interface on cloud2:
ip route add default via ip_vpn_cloud1 dev tun0 table http
ip rule add from all fwmark 1 table http
be sure that net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter are set to 1 in /etc/sysctl.conf
With -A POSTROUTING -j MASQUERADE all outgoing forwarded packets will have the source IP of the corresponding outgoing interface.
You should be more specific on the packets you masquerade/SNAT.
I like to create a simple captive portal that works for an interface that is part of a bridge.
The bridge interface br0 (10.19.1.1/16) consists of two interfaces eth0 and eth1.
Behind eth1 are the client computers. Behind eth0 is a switch that has the internet gateway connected to.
For the captive portal, all tcp requests to port 80 coming from the clients behind eth1 need to be directed the local web server.
The following lines seem to work as the website request are redirected to the local web server. The problem is that once the authentication line below is used, the client cannot load any regular websites anymore.
I have already searched the internet but haven't found a solution.
PORTAL_INT="eth1"
PORTAL_IP="10.19.1.1"
#'drop' packets from being bridged
ebtables -t broute -A BROUTING -i $PORTAL_INT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
#authenticated
#iptables -t mangle -I internet 1 -m mac --mac-source $CLIENT_MAC -j RETURN
#mark all traffic
iptables -t mangle -A internet -j MARK --set-mark 99
#redirect website access
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $PORTAL_IP
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP