We Keep Coding

How to block all outgoing network traffic, including all broadcast messages (DHCP) with ufw/iptables?

I'm trying to block all outgoing network traffic on ubuntu 20.04 including any broadcast messages from my network interface. My purpose is to block all outgoing network traffic from my host with condition that network interface is on. But all suggested rules and blocking all outcoming traffic do not block broadcast messages such as: DHCP, ARP, IGMPv2, MDNS protocols messages.
How to reproduce this behavior:
Host1 - host with ufw, where I'm trying to block all traffic
Host2 - host with wireshark, which monitors traffic from Host1 by Host1 mac address filter
Host1 and Host2 are in the same LAN;
Host1: no rules in ufw/iptables, network interface eth0 is turned on, default network configuration for eth0 is configured for DHCP (static);
Host1: disable network interface eth0 with manually or with command:
sudo ip link set eth0 down
Host1: Add rules with ufw:
sudo ufw default deny outgoing
sudo ufw deny out to any
Or iptables rules
sudo iptables -P OUTPUT DROP
Host1: Enable ufw:
sudo ufw enable
Host2: Start wireshark, set filter:
eth.addr == <Host1 MAC ADDRESS>
Host1: Enable interface eth0 manually or with command:
sudo ip link set eth0 up
Host2: In wireshark will appear broadcast packets from Host1
Is it possible to block all packets and broadcasting packets too with ufw/iptables?

AWS ubuntu iptable port forwarding between its two interfaces

I have an AWS ubuntu instance with the following network interfaces:
ens5, ip: 172.XX.XX.XX
A5TAP, ip:192.168.233.1 (VPN)
How do I udp port forward port 10000-10200 to 192.168.233.52:10000-10200?
I tried a the obvious commands below for a single port 10009, but it is not working:
sudo iptables -t nat -A PREROUTING -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
sudo iptables -t nat -A POSTROUTING -p udp -d 192.168.233.52 --dport 10009 -j SNAT --to-source 172.XX.XX.XX
sudo iptables -t nat -L -n
=======What I tried so far:
I am trying to port forward port 10009 all udp traffic to ens5, to 192.168.233.52 in A5TAP:
172.XX.XX.XX:10009 -> 192.168.233.52:10009
The udp stream is a video stream.
I followed this tutorial, but it is not working. As when I shoot the udp stream to 172.XX.XX.XX:10009, no video is showing.
If I do sudo tcpdump -i ens5 -n udp port 10009:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:51.035226 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 1400
14:08:51.035703 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 510
(and so on....)
That means my AWS instance is receiving the video stream from my machine.
But when I do sudo tcpdump -i A5TAP -n udp port 10009, there are no traffics.
If I joined the machine with video stream to A5TAP VPN, and send udp stream to 192.168.233.52:10009, I can see the stream.
Thanks to maxstr's answer, the port forwarding between interfaces in the same machine worked:
sudo tcpdump -i A5TAP -n udp port 10009:
07:45:53.701800 IP 192.168.233.1.49538 > 192.168.233.52.10009: UDP, length 700

I believe what you want is the following:
sudo iptables -t nat -A OUTPUT -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
because the PREROUTING chain will not be in the path of local outbound traffic. OUTPUT will.

how to create a dynamic port forwarding with several hops?

If we have a following situation:
[laptop] ---- [host1] ---- [host2] ----[target]
where host1 is reachable from the my laptop machine, host2 from host1 and the target from host2 only. We have ssh credentials to both host1 and host2.
We can use the dynamic port forwarding with the following command:
ssh -N -D 127.0.0.1:8282 host1_account#host1
and that will basically create a SOCKS4 that we can use with proxychains so that command will work from the kali device:
proxychains ssh host2_account#host2
How we can make a similar (additional?) dynamic tunnel from host2 to target?

Make sure you're on OpenSSH 7.3 or later, and use SSH's ProxyJump feature: ssh -J host1_account#host1 -D 127.0.0.1:8282 host2_account#host2. That will give you an SSH session on host2, and 127.0.0.1:8282 will proxy traffic out through host2.

ssh_vpn or sockes_proxy set gateway?

I need to secure a VPN via SSH forwarding. How can I do this?
It should work like a proxy socks, but I was not able to find the gateway via socks.

i test in bash comment in best work
after old answer step 4 work with
route add -net [server] netmask 255.255.255.255 gw [real gatway client]
after
ssh -NTCf -w 0:0 [server]
ip link set tun0 up
ip addr add 192.168.123.2/32 peer 192.168.123.1 dev tun0
route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.123.2
route add default gw 192.168.123.1
run in server
ip link set tun0 up
ip addr add 192.168.123.1/32 peer 192.168.123.2 dev tun0
arp -sD 192.168.123.2 eth0 pub
if work server with gateway u need nat comment
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

i find Approach with ssh_vpn
this link https://help.ubuntu.com/community/SSH_VPN
https://superuser.com/questions/202310/ssh-vpn-default-gateway-help
set forward in system
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
or
edite /etc/sysctl.conf
no commet "net.ipv4.ip_forward=1"
create ssh-kegen
ssh-keygen
ssh-copy-id root#[des ip server]
edite /etc/ssh/sshd_config
add "PermitTunnel yes"
and
change "PermitRootLogin yes"
restart ssh service
5. ssh -NTCf -w 0:0 [des ip server]
6. to host set ip in tun0 ip with
i
ip link set tun0 ip
ip addr add 10.0.0.100/32 peer 10.0.0.200 dev tun0
to server set tun0 ip
ip link set tun0 up
ip addr add 10.0.0.200/32 peer 10.0.0.100 dev tun0
set route [see des ip ] in host
ip route add [des ip server]/32 via [gatway host]
set defaul route in host
route add defaul gw 10.0.0.100
go to server and set ip table
iptables -P FORWARD ACCEPT
iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE

with iptables forwarding port to other client but with recognition of original sender ip

I have a firewall (based on iptables) at dedicated ubuntu server.
I have several LAN Clients.
At one of my LAN Clients I am running software where I can restrict acces based on IP.
For me it is important that I can restrict that by using WAN IPs so not LAN IPs.
I have configured my firewall so that a/one port is forwarded to a LAN client which work good (solution found at stackoverflow). So far no problems.
However at the LAN client I do not see the IP of external sender but - I think due to the forwarding - the client sees that the packet is coming from my LAN server.
Question is: how to forward a port on my server to another LAN IP with different port, but so that the LAN client recognizes the external IP of the packet.
Lets make it more clear:
server LAN IP: 192.168.1.10
server port: 8080
should be forwarded to:
client LAN IP: 192.168.1.20
client LAN port: 8000
With iptables I have:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -d 192.168.1.10 -j DNAT --to 192.168.1.20:8000
iptables -A FORWARD -p tcp -d 192.168.1.20 --dport 8000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dport 8000 -d 192.168.1.20 -j SNAT --to 192.168.1.10
As written that works, but when f.i. someone at IP 88.77.66.55 sends a packet then my LAN client (192.168.1.20) sees that the packet is coming from my LAN server (192.168.1.10) and unfortunately not from 88.77.66.55.
Can I fix that...?

Your last rule is the same as a MASQUERADE rule.
eg:
iptables -t nat -A POSTROUTING --out-interface eth0 -j MASQUERADE
With MASQUERADE or SNAT, you are modifying the source-IP address as it goes through the first server. The 2nd server sees the packet and sends it's response back to that IP, which is then sent back to the client.
However, the server sees request as coming from 192.168.1.10 - because that's where it's coming from.
client > gateway > iptables-router > server (sees .10) > iptables-router > gateway > client
If you remove the MASQUERADE/SNAT, the server sees the real IP, but when it sends the reply, the packet is going to it's default gateway (default route) which is probably your router or a gateway at your data center. The client gets a response back from an IP address it doesn't know about, and doesn't know what to do with it, so it looks like it's not working. Alternatively, the gateway/rputer sees a SYNACK with no associated connection and drops the packet.
client > gateway > iptables-router > server > gateway (DROP) or > client (DROP)
If you want the server to get the real IP of the client, here are two common ways to make it work:
Set the gateway (default route) of the server to the IP address of the iptables machine (ie: the machine you are running these iptables rules on). In this case, the server sends all external traffic (ie: a response to a random IP address from the internet) to the MAC address of the iptables machine, which is waiting for a reply. iptables will send it back to the client. The webserver machine is behind the iptables machine, using the iptables machine as a router.
client > gateway > iptables-router > server(real IP) > iptables-router > gateway > client
Use an HTTP proxy like nginx which will work the same way you have it working now, with the client only seeing the internal .10 address. However, because it's a proxy, it can send an HTTP header like X-Original-IP-Address: 123.456.789.012 containing the real IP address of the client.
client > gateway > iptables-router > server (sees X-Original-IP header) > iptables-router > gateway > client
Best Regards,
Neale

Let us define:
{source address} - packet sender (some remote address)
{interface address} - packet receiver (firewall external address)
{local address} - packet end point receiver local network address
{local gateway} - firewall local address
{proto block} - IP protocols limitation (i.e. -p tcp -m tcp --dport xxxx)
1. If you want the client to see ip address of packet source - do that:
IPTABLES -t nat -A PREROUTING -s {source address} -d {interface address} {proto block} -j DNAT --to-destination {local address}
IPTABLES -A FORWARD -d {local address} -j ACCEPT
Do not forget to make:
echo "1" > /proc/sys/net/ipv4/ip_forward
It will enable packets forwarding.
In this case, your end point will see original ip address, however, it will try to respond to default gateway, if this address is not in local network range, add:
route add {source address} gw {local gateway}
this will tell your endpoint to send packets for {source address} via {local gateway} (or reply back).
2. You do not want endpoint to see original ip address and do not want to modify routing tables, then add
IPTABLES -t nat -A POSTROUTING -s {source address} -j MASQUERADE
In this case, LAN client will see only {local gateway} address.
In any case, do not forget to masquerade all packets that are going from your local network to remote addresses by:
IPTABLES -t nat -A POSTROUTING !-d 192.168.0.0/16 -j MASQUERADE
You want to keep source address and destination address for further processing. In this case, your {local gateway} will be just a part of packet routing and {local address} has to be just a next hop - use policy routing for that.
First, add your own routing table with lower than 252 tag to /etc/iproute2/rt_tables
Then - you can add rule for {source address} directly to rules set or mark packets from {source address} - both methods will lookup your custom routing table for that packets:
ip rule add from {source address} table custom_table
or
iptables -t mangle -A PREROUTING -s {source address} -j MARK --set-mark 1
ip rule add fwmark 1 table custom_table
And then, make {local address} next hop gateway for these packets:
ip route add default via {local address} table custom_table
Of course, POSTROUTING chain will be applied just before packet exit and you can shape your source address if needed.

Just remove last rule (do not do SNAT).
Or restrict SNAT alloving only masquarading of your LAN clients by adding -o eth0 condition (assuming eth0 is external interface):
iptables -t nat -A POSTROUTING -p tcp -o eth0 --dport 8000 -d 192.168.1.20 -j SNAT --to 192.168.1.10