I need to secure a VPN via SSH forwarding. How can I do this?
It should work like a proxy socks, but I was not able to find the gateway via socks.
i test in bash comment in best work
after old answer step 4 work with
route add -net [server] netmask 255.255.255.255 gw [real gatway client]
after
ssh -NTCf -w 0:0 [server]
ip link set tun0 up
ip addr add 192.168.123.2/32 peer 192.168.123.1 dev tun0
route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.123.2
route add default gw 192.168.123.1
run in server
ip link set tun0 up
ip addr add 192.168.123.1/32 peer 192.168.123.2 dev tun0
arp -sD 192.168.123.2 eth0 pub
if work server with gateway u need nat comment
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
i find Approach with ssh_vpn
this link https://help.ubuntu.com/community/SSH_VPN
https://superuser.com/questions/202310/ssh-vpn-default-gateway-help
set forward in system
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
or
edite /etc/sysctl.conf
no commet "net.ipv4.ip_forward=1"
create ssh-kegen
ssh-keygen
ssh-copy-id root#[des ip server]
edite /etc/ssh/sshd_config
add "PermitTunnel yes"
and
change "PermitRootLogin yes"
restart ssh service
5. ssh -NTCf -w 0:0 [des ip server]
6. to host set ip in tun0 ip with
i
ip link set tun0 ip
ip addr add 10.0.0.100/32 peer 10.0.0.200 dev tun0
to server set tun0 ip
ip link set tun0 up
ip addr add 10.0.0.200/32 peer 10.0.0.100 dev tun0
set route [see des ip ] in host
ip route add [des ip server]/32 via [gatway host]
set defaul route in host
route add defaul gw 10.0.0.100
go to server and set ip table
iptables -P FORWARD ACCEPT
iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
Related
I need to transform destination IP of packets when they arrive from our client, ands also transform the source IP of packages leaving our network to the client's network.
I have IPSec VPN tunnel with a client on a Linux box. The machine has two interfaces with the following config:
eth0: 172.15.100.5
eth1: 172.15.100.15 (public IP 33.x.x.x)
Application server is 172.15.100.50.
Clients IP: 10.26.18.38/32
Client cannot use our internal IP 172.15.100.50 to talk to the application via the tunnel. Instead, they will send traffic through the VPN to 172.20.100.55 (which is not our IP) and they need us to response with source IP as 172.20.100.55.
My thinking is that I should be able to use iptables POSTROUTING and PREROUTING transform destination IP of incoming traffic from 10.20.100.55 to 172.15.100.50 (application server), and outgoing traffic from our network application server IP 172.15.100.50 to 10.20.100.55. However, I am not sure of the correct way to achieve this.
iptables -t nat -I PREROUTING -i eth1 -d 10.20.100.55 -j DNAT --to 172.15.100.50
iptables -t nat -I POSTROUTING -i eth0 -d 10.26.18.38 -j SNAT --to 172.20.100.55
I have monitored traffic with tcpdump and on the application server, but it would appear my NAT rule is not working.
I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200
i would like to route all http/https/other ports traffic which is coming from pc1 to pc2, pc2 should route that to an external proxy that I would like to be able to set at pc2.
my current config is:
pc1 (eth0 / 192.168.0.1, Gateway: 192.168.0.2) -> pc2 (eth0 / 192.168.0.2)
pc2 has to nics, eth0 and eth1. eth1 is the WAN connection.
in summary, eth1 #pc2 should be able to route incoming traffic from eth0 to a proxy server.
what I've tried:
sysctl -w net.ipv4.conf.all.forwarding=1
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -o eth1 --dport 80 -j DNAT --to proxy:3128
i'm able to ping pc2, but that was it unfortunately already. I'm new with iptables, thanks for your help.
There is a guide about setting up a transparent proxy with squid that seems like it might have some useful information. It seems to have some different methods that could be adapted to solve your problem.
Most OS distributions also have guides and tutorials for using iptables and routing as well as the particular semantics for your OS of choice. I have used the guides with Ubuntu help and CentOS in the past and they were very helpful when I was first learning to use iptables.
This machine has two interfaces eth0 and eth1. There is a default gateway on eth0:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.2.1 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth1
I need to set up rules with iptables to proxy all incoming traffic on eth1 to 10.0.1.1.
Note that eth0 is associated with a static IP address 10.0.2.2 while eth1 is dynamic.
There is a guide on port forwarding with netfilter that explains how to do this in a slightly simpler setup, but I can't figure out how to go from their example to mine.
Building upon the link you supplied, with the exception of using the conntrack module rather than the state module:
# Activate forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp -i eth1 -j DNAT --to-destination 10.0.1.1
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d 10.0.1.1 -j SNAT --to-source 10.0.2.2
# Allow forwarded packets
iptables -A FORWARD -p tcp -d 10.0.1.1 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED
In order to disable reverse path filtering in the kernel, follow the steps described here. I think that in your case, modifying the value of net.ipv4.conf.eth1.rp_filter to 0 via sysctl would suffice.
Note that this workaround is a bit of a security hole. A better approach would be to change the network structure itself.
I have a firewall (based on iptables) at dedicated ubuntu server.
I have several LAN Clients.
At one of my LAN Clients I am running software where I can restrict acces based on IP.
For me it is important that I can restrict that by using WAN IPs so not LAN IPs.
I have configured my firewall so that a/one port is forwarded to a LAN client which work good (solution found at stackoverflow). So far no problems.
However at the LAN client I do not see the IP of external sender but - I think due to the forwarding - the client sees that the packet is coming from my LAN server.
Question is: how to forward a port on my server to another LAN IP with different port, but so that the LAN client recognizes the external IP of the packet.
Lets make it more clear:
server LAN IP: 192.168.1.10
server port: 8080
should be forwarded to:
client LAN IP: 192.168.1.20
client LAN port: 8000
With iptables I have:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -d 192.168.1.10 -j DNAT --to 192.168.1.20:8000
iptables -A FORWARD -p tcp -d 192.168.1.20 --dport 8000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 8000 -d 192.168.1.20 -j SNAT --to 192.168.1.10
As written that works, but when f.i. someone at IP 88.77.66.55 sends a packet then my LAN client (192.168.1.20) sees that the packet is coming from my LAN server (192.168.1.10) and unfortunately not from 88.77.66.55.
Can I fix that...?
Your last rule is the same as a MASQUERADE rule.
eg:
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
With MASQUERADE or SNAT, you are modifying the source-IP address as it goes through the first server. The 2nd server sees the packet and sends it's response back to that IP, which is then sent back to the client.
However, the server sees request as coming from 192.168.1.10 - because that's where it's coming from.
client > gateway > iptables-router > server (sees .10) > iptables-router > gateway > client
If you remove the MASQUERADE/SNAT, the server sees the real IP, but when it sends the reply, the packet is going to it's default gateway (default route) which is probably your router or a gateway at your data center. The client gets a response back from an IP address it doesn't know about, and doesn't know what to do with it, so it looks like it's not working. Alternatively, the gateway/rputer sees a SYNACK with no associated connection and drops the packet.
client > gateway > iptables-router > server > gateway (DROP) or > client (DROP)
If you want the server to get the real IP of the client, here are two common ways to make it work:
Set the gateway (default route) of the server to the IP address of the iptables machine (ie: the machine you are running these iptables rules on). In this case, the server sends all external traffic (ie: a response to a random IP address from the internet) to the MAC address of the iptables machine, which is waiting for a reply. iptables will send it back to the client. The webserver machine is behind the iptables machine, using the iptables machine as a router.
client > gateway > iptables-router > server(real IP) > iptables-router > gateway > client
Use an HTTP proxy like nginx which will work the same way you have it working now, with the client only seeing the internal .10 address. However, because it's a proxy, it can send an HTTP header like X-Original-IP-Address: 123.456.789.012 containing the real IP address of the client.
client > gateway > iptables-router > server (sees X-Original-IP header) > iptables-router > gateway > client
Best Regards,
Neale
Let us define:
{source address} - packet sender (some remote address)
{interface address} - packet receiver (firewall external address)
{local address} - packet end point receiver local network address
{local gateway} - firewall local address
{proto block} - IP protocols limitation (i.e. -p tcp -m tcp --dport xxxx)
1. If you want the client to see ip address of packet source - do that:
IPTABLES -t nat -A PREROUTING -s {source address} -d {interface address} {proto block} -j DNAT --to-destination {local address}
IPTABLES -A FORWARD -d {local address} -j ACCEPT
Do not forget to make:
echo "1" > /proc/sys/net/ipv4/ip_forward
It will enable packets forwarding.
In this case, your end point will see original ip address, however, it will try to respond to default gateway, if this address is not in local network range, add:
route add {source address} gw {local gateway}
this will tell your endpoint to send packets for {source address} via {local gateway} (or reply back).
2. You do not want endpoint to see original ip address and do not want to modify routing tables, then add
IPTABLES -t nat -A POSTROUTING -s {source address} -j MASQUERADE
In this case, LAN client will see only {local gateway} address.
In any case, do not forget to masquerade all packets that are going from your local network to remote addresses by:
IPTABLES -t nat -A POSTROUTING !-d 192.168.0.0/16 -j MASQUERADE
You want to keep source address and destination address for further processing. In this case, your {local gateway} will be just a part of packet routing and {local address} has to be just a next hop - use policy routing for that.
First, add your own routing table with lower than 252 tag to /etc/iproute2/rt_tables
Then - you can add rule for {source address} directly to rules set or mark packets from {source address} - both methods will lookup your custom routing table for that packets:
ip rule add from {source address} table custom_table
or
iptables -t mangle -A PREROUTING -s {source address} -j MARK --set-mark 1
ip rule add fwmark 1 table custom_table
And then, make {local address} next hop gateway for these packets:
ip route add default via {local address} table custom_table
Of course, POSTROUTING chain will be applied just before packet exit and you can shape your source address if needed.
Just remove last rule (do not do SNAT).
Or restrict SNAT alloving only masquarading of your LAN clients by adding -o eth0 condition (assuming eth0 is external interface):
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 8000 -d 192.168.1.20 -j SNAT --to 192.168.1.10