iptables unable to use same target - iptables

I am unable to use the same target under iptables. can someone help please?
iptables v1.4.21
Kernel: 3.16.7
iptables -t nat -A POSTROUTING -o eth0 -j SAME --to 1.2.3.4-1.2.3.7
iptables: No chain/target/match by that name.

According to iptables-extensions's man page, the SAME target was superseded by the --persistent flag of the DNAT target:
--persistent
Gives a client the same source-/destination-address for each connection. This supersedes the SAME target. Support for persistent mappings is available from 2.6.29-rc2.

Related

Connect BeagleBone Black to Internet

I am trying to use this tutorial to connect to the internet from the BeagleBone Black: https://elementztechblog.wordpress.com/2014/12/22/sharing-internet-using-network-over-usb-in-beaglebone-black/
The IpTables steps do not seem to yield the correct configuration. For example:
iptables --table nat -A POSTROUTING -o wlp2s0 -j MASQUERADE
creates the following configuration:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- localhost/16 anywhere
MASQUERADE all -- anywhere anywhere
Why do I have anywhere as destination when I clearly specify wlp2s0 ? Can anyone please help ?
iptables -t nat -L doesn't seem to show additional information like interfaces.
While it's meant to be for save/restore and machine-readable, I much prefer the output of iptables-save due to its completeness.
In your case this should show you the complete configuration for the "nat" table:
iptables-save -t nat

My whitelist does not allow whistelisted site

here is my whitelist allowing wikipedia and rejecting all other sites. Unfortunately this script does not work : I cannot connect to wikipedia. Why ?
Thank you
Allow incoming traffic from established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow incoming connections from wikipedia
iptables -A INPUT -s 78.109.84.114 -j ACCEPT
Allow outcoming connections from wikipedia
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
Drop other incoming connections.
iptables -P INPUT DROP
Drop any transfer of traffic.
iptables -P FORWARD DROP
I think i got your Problem.
Try using iptables -A OUTPUT -d 78.109.84.114 -j ACCEPT instead of
iptables -A OUTPUT -s 78.109.84.114 -j ACCEPT
And if you want to work with the state module then use:
iptables -A OUTPUT -m state --state NEW -d 78.109.84.114 -j ACCEPT
The Problem is, that you create a rule, that says that Traffic that goes into the OUTPUT Chain with the Source Adress 78.109.84.114 is allowed. But what you want is a rule that allows Traffic to Wikipedia outgoing not from Wikipedia.

iptables does not recognize the --dport argument

I'm trying to set some iptables rules on a Linux Yocto device but this command keeps giving me an error:
# iptables -I INPUT -p tcp --dport ssh -j MYCHAIN
iptables: No chain/target/match by that name.
The problematic argument is "--dport" as the following command works perfectly:
# iptables -I INPUT -p tcp -j MYCHAIN
Researching, I have found similar problems (match, redirect) related with missing kernel modules. If this is my case, how can I know which one it is?

iptables: forward a single IP/Port to one interface, everything else to another

I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200

Replayed pcap files not detected by iptables

I am facing some problems with tcpreplay. I am running L-7 filter userspace version on ATCA- PP81 blade, and I have this following iptable rules :
iptables -A FORWARD -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p udp -i eth0 -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p tcp -i eth0 -j NFQUEUE --queue-num 0
I am sending pcap files from a computer using tcpreplay, but all the replayed pcap files except those which have broadcast address were not detected by the iptables. I checked it with:
iptables -t mangle -L -v
I tried many ways, including using a cache file as discussed in some of the forums, and everything is in vain. Now I am totally helpless. I would appreciate it if you could reply my question.
Thanking you in anticipation
regards,
Amlas
It is not possible. This is a tcpreplay limitation.
http://tcpreplay.synfin.net/wiki/FAQ
Can I use IPTables/Traffic Control with tcpreplay?
You can not use iptables/tc on the same box as you run tcpreplay. The only way to use IPTables or Traffic Control (tc) with tcpreplay is to run tcpreplay on a different box and send the traffic through the system running iptables/tc. This limitation is due to how the Linux kernel injects frames vs. reading frames for iptables/tc which makes traffic sent via tcpreplay to be invisible to iptables/tc.