execute PREROUTING rules after DNAT jump - iptables

I have a VPS under nat so my incoming packets arrive destined to a private address instead of public one ( I cannot change that with the provider ) ,
I also have a service that apply routing rules in iptables PREROUTING ( kubernetes )
what I need is to "fix" the ip address of incoming packet so the routing loging works correctly with the public ip ( changing this to use the private ip breaks other parts of the software on higher level )
as an example what I need is that the packet receive a change in destination ( DNAT ) then also pass further PREROUTING rules
ie:
iptables -t nat -I PREROUTING 1 -d $PRIVATE_IP -j DNAT --to-destination $PUBLIC_IP
iptables -t nat -I PREROUTING 2 -d $PUBLIC_IP -j $ROUTING_TABLE
iptables -t nat -I PREROUTING 3 -d $PUBLIC_IP -j LOG --log-prefix "LOG PREROUTING " --log-level 7 -m comment --comment " this never happens :( "
but both rules 2 and 3 never gets triggered.. there is a way to achieve that ? even out of iptables if you know how..
Thank you,
Francesco

Related

iptables port forward rule to route traffic from WireGuard TUN interface to eth0

I am using WireGuard (WG) as a VPN and only routing certain port based traffic over it. On the ingress side of the tunnel the traffic first hits eth0 then goes on to the WG TUN interface, wg0, so the following rule works for forwarding on ingress:
-A PREROUTING -d 192.#.#.# -i eth0 -p tcp -m tcp --dport 7054 -j DNAT --to-destination 10.#.#.#:7054
However I can not get traffic routed from TUN interface to eth0 on the egress side of the tunnel with the following rule, I think due to the "tunnel" being virtual and the traffic first must cross eth0 so PREROUTING is not valid??? I am not sure how to think about the TUN interface with regards to the routing sequence, i.e. is this still PREROUTEING or POSTROUTING or somewhere in the middle?
-A PREROUTING -d 10.#.#.# -i wg0 -p tcp -m tcp --dport 7054 -j DNAT --to-destination 192.#.#.#:7054
I tried the following to see if PREROUTING would then work for the wg0 interface but it did not. I also tried this with POSTROUTING, but not the solution.
iptables -t raw -A PREROUTING -i eth0 -j NOTRACK

mirroring traffic with iptables doesn't work

I want to mirror specific traffic to ip 192.168.200.1
I use the following solution:
Mirror Port via iptables
However, when I enter following command, this error occurs:
iptables –I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee
iptables v1.4.12: unknown option "--gw"
When I replace "--gw" with "-gateway", like this:
iptables –I PREROUTING -t mangle -j ROUTE -gateway 192.168.200.1 --tee
this error occur:
iptables v1.4.12:multiple -j flag not allowed
Why is this?
Try:
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.200.1
For that version of iptables -j ROUTE doesn't work.

Mangle and mark packets in the same iptables chain

I want to mangle packets by redirecting them to the NFQUEUE target, but at the same time, I want to mark them in the same chain which is the PREROUTING Chain.
To redirect packets to the NFQUEUE target I use:
iptables -t mangle -A PREROUTING -j NFQUEUE --queue-num 0
To mark packets value I use (here icmp is just an example):
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 1
Is there any way to do both manipulations at the same time?
any help would be very appreciated!
Thank you!
To solve my problem I used the raw table (which is used in principal to mark packets) to redirect packets and the mangle table to mark them:
iptables -t raw -A PREROUTING -j NFQUEUE --queue-num 0

Captive Portal for a bridged interface

I like to create a simple captive portal that works for an interface that is part of a bridge.
The bridge interface br0 (10.19.1.1/16) consists of two interfaces eth0 and eth1.
Behind eth1 are the client computers. Behind eth0 is a switch that has the internet gateway connected to.
For the captive portal, all tcp requests to port 80 coming from the clients behind eth1 need to be directed the local web server.
The following lines seem to work as the website request are redirected to the local web server. The problem is that once the authentication line below is used, the client cannot load any regular websites anymore.
I have already searched the internet but haven't found a solution.
PORTAL_INT="eth1"
PORTAL_IP="10.19.1.1"
#'drop' packets from being bridged
ebtables -t broute -A BROUTING -i $PORTAL_INT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
#authenticated
#iptables -t mangle -I internet 1 -m mac --mac-source $CLIENT_MAC -j RETURN
#mark all traffic
iptables -t mangle -A internet -j MARK --set-mark 99
#redirect website access
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $PORTAL_IP
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP

iptables - remove packet mark on certain packets

I am using the following iptables script to redirect packets on port 443 to a proxy server:
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2
I am redirecting it to my proxy server later on, which is working. For one host, however, I need to remove the iptables mark (i.e. the packets will not be redirected.) I tried the following:
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j ACCEPT
I have also tried (attempting to rewrite the mark to a different number):
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j MARK --set-mark 1
However none of them are working. Is there a --remove-mark? I couldn't find anything on Google.
Any help would be appreciated.
When using the MARK target, the mark is a added as a bitmask. If you check in the documentation, there's an optional [/mask] for the mark.
So use "--set-mark 0/2" to remove 2.
I figured it out. I used the following:
iptables -t mangle -A PREROUTING -p tcp ! -s 192.168.0.47 --dport 443 -j MARK --set-mark 2
To mark it so it doesn't mark the host in the first place.