Route all traffic with iptables to external proxy - iptables

i would like to route all http/https/other ports traffic which is coming from pc1 to pc2, pc2 should route that to an external proxy that I would like to be able to set at pc2.
my current config is:
pc1 (eth0 / 192.168.0.1, Gateway: 192.168.0.2) -> pc2 (eth0 / 192.168.0.2)
pc2 has to nics, eth0 and eth1. eth1 is the WAN connection.
in summary, eth1 #pc2 should be able to route incoming traffic from eth0 to a proxy server.
what I've tried:
sysctl -w net.ipv4.conf.all.forwarding=1
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -o eth1 --dport 80 -j DNAT --to proxy:3128
i'm able to ping pc2, but that was it unfortunately already. I'm new with iptables, thanks for your help.


There is a guide about setting up a transparent proxy with squid that seems like it might have some useful information. It seems to have some different methods that could be adapted to solve your problem.
Most OS distributions also have guides and tutorials for using iptables and routing as well as the particular semantics for your OS of choice. I have used the guides with Ubuntu help and CentOS in the past and they were very helpful when I was first learning to use iptables.

Related

Remote access to Huawei E3372 WebInterface on headless RaspberryPi

I'm trying to (remotely) connect to the E3372's (Huawei LTE stick) WebInterface...
The E3372 is recognised by my RaspberryPi as "12d1:14dc Huawei Technologies Co., Ltd." - so it seems to be in HiLink-mode. Good.
using
> ifconfig
I see that the stick uses eth1 / 192.126.8.100
and the WebInterface's web-server is supposed to run on 192.168.8.1...
To verify this, on the Pi (from PC using ssh to eth0 with a DHCP-assigned IP-address of 192.168.10.123) I can e.g. query (read) the starting-page of the E3372's WebInterface using:
> curl 192.168.8.1/html/home.html
...so obviously the web-server is up-and-running!
Now I try to forward connections on eth0's port=80 (192.168.10.123:80) to 192.168.8.1:80, so I can then access the WebInterface from an external PC connected to the Pi's eth0; so I:
1) enable ip4-port-forwarding:
> sudo nano /proc/sys/net/ipv4/ip_forward
--> and change the '0' to '1'
2) use iptables to set the appropriate forwarding:
> sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.8.1:80
> sudo iptables -A FORWARD -p tcp -d 192.168.8.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Now using a browser on the PC with the URL "http://192.168.10.123" yields (after some seconds): "This site can’t be reached"...
please help! what's wrong here???
Thanks for helping!

iptables: forward a single IP/Port to one interface, everything else to another

I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.

These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200

Redirecting from outgoing loopback traffic - is it possible?

I have 2 kinds of proxies in my local machine : stunnel and TOR-VPN.
stunnel is listening on port 6666
TOR-VPN is listening on port 9040
I want to get web traffic to go to stunnel first and the output traffic of stunnel go to tor-vpn. This needs double redirecting. is it possible to do it with iptables? I mean by using "table nat chain OUTPUT".
Because as far as I know "table nat chain OUTPUT" cant be called twice.
web traffic = browser listening on 127.0.0.1:6666
these are my rules:
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp -j
REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bob -m udp
--dport 53 -j REDIRECT --to-ports 53
iptables -t filter -A OUTPUT -p tcp --dport 6666 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp
--dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner bob -m udp
--dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -m owner --uid-owner bob -j DROP
the above rules make stunnel work independently from TOR/VPN.
i mean when browser is set with proxy, no traffic will go through TOR/VPN but if i turn off the proxy in browser, all traffic will go through TOR/VPN.
now i want to let browser have the proxy on and all web traffic go to stunnel first, but outgoing stunnel traffic(outgoing loopback traffic) redirects to TOR/VPN(127.0.0.1:9040)
is it possible ? how can i do that? somehow i mean double redirecting inside system.
Policy of all tables is ACCEPT

Checking that this is what you mean :
You have stunnel bound to port 6666 (localhost:6666) and you have tor bound to 9040 (localhost:9040). You want it so your web traffic will go THROUGH stunnel (so destination is localhost:6666) but the OUTBOUND traffic FROM stunnel (with inbound traffic originally from your client redirected to stunnel) should be DESTINED to tor (localhost:9040) ? Is this correct ?
If so, and I am thinking clearly enough (it is just 7:00 and I've been awake far too many hours for a difficult night), this is indeed possible (the reverse is, too). You need to masquerade the destination address (and indeed port) based on the source (address and port (you don't have to specify both, I might add)). Something like this:
iptables -t nat -I PREROUTING -p tcp --sport 6666 -j DNAT --to-destination 9040
If this is not what you mean (or alternatively I made a typo, am not clear headed or being an idiot in some way (in all cases showing myself to be a user as everyone is!), if any it is probably the latter) then please respond. I'll see about enabling email notification so that I see the response. If I don't, however, I apologise in advance.
As an aside: unless you have a final rule in each CHAIN (not table, just as an fyi: a table is filter, nat (which I specify in the above and indeed it is necessary), etc. and CHAIN is INPUT, OUTPUT, FORWARD and others created by the option -N) you shouldn't have -P ACCEPT ('that which is not explicitly permitted is forbidden' and similar wording - i.e. have DROP). The exception is perhaps OUTPUT (but depends on what you need, in the end). However, when dealing with interface 'lo' you'll want to ACCEPT all traffic always, in any case (i.e. specify -i lo and -o lo, depending on chain, and jump to ACCEPT). Of course, maybe you're behind another device but still best practise to not accept anything and everything! (I should also state that you have different chains per table so yes you can specify different tables but the policy is for the chain IN that table)
Edit: something else: no, you don't have to deal with SNAT when you want DNAT and the reverse is true. Anything to the contrary is a misunderstanding. The reason is you're masquerading the CONNECTION. As the man page shows:
It specifies that the destination address of the
packet should be modified (and all future packets in this connection will also be mangled), and rules should cease being examined.
Edit:
If I understand you (now) you actually have two interfaces involved. Or more specifically you need the following:
You have a service you want encrypted. This is tor. Now, you're using stunnel to do this. To this end you want stunnel to forward traffic to tor. Is this right? If yes, then know that stunnel has the following directives (I actually use similar for something else). Here's a mock setup of a service.
[tor]
accept = 6666
connect = 9040
In addition, just as a note: connect can also be a remote address (remote address implies an external address (with port) or even a certain interface (by IP and also with port) on the system (I use external in the sense of you specify ip and port rather than just a port). Furthermore, accept can specify address (with same rules: ip before the port (except that it is obviously on the local machine so no external IP)). You could explain it, perhaps, as stunnel is where the service would bind to except that the service is stunnel and the service it is encrypting is elsewhere (shortly: the bind(2) call allows specific IP or all IPs on the system, and you're basically configuring stunnel to do this).
(And yes, you're right: the sport should have been dport.)
IF this is not what you need then I do not understand all variables. In that case, if you can elaborate on which interfaces (this includes ports and which service per interface) are involved as well as clients involved (and where they send). Because it is a lot more helpful if others know EXACTLY what you need than infer certain parts. Makes it much easier to solve a problem if you know what the problem is entirely. Maybe I've been dense and I should put together it all (and I admit sleep problems - which I have for a long, long time - does not help that, but...) I haven't, I think.

I found the answer by myself. in my first post, i said something that was completely wrong and because of that, i could not do double redirecting.
i said:
Because as far as I know "table nat chain OUTPUT" cant be called twice
it is wrong and "table nat chain OUTPUT" can be called twice. i dont know what exactly i did 2 months ago that thought "table nat chain OUTPUT" cant be called twice.
this is the tables and chains order when using some services on loopback interface or not:
Without having any services on loopback:
Generated packets on local machine -> nat(OUTPUT) -> filter(OUTPUT) -> wlan(ethernet) interface
With having some services on loopback:
Generated packets on local machine -> nat(OUTPUT) -> filter(OUTPUT) -> loopback interface -> nat(OUTPUT) -> filter(OUTPUT) -> wlan(ethernet) interface
these are my rules to solve the problem:
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 6666 -j REDIRECT --to-ports 6666
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp -j REDIRECT --to-ports 9040
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j REDIRECT --to-ports 53
iptables -t nat -A OUTPUT -d "StunnelServerIp" -o wlan0 -p tcp -j REDIRECT --to-ports 9040
iptables -t filter -A OUTPUT -p tcp -m owner --uid-owner bob -m tcp --dport 9040 -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner bob -m udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m tcp --dport 6666 -j ACCEPT
iptables -t filter -A OUTPUT -m owner --uid-owner bob -j DROP

Forward traffic on specific network interface to specific host

This machine has two interfaces eth0 and eth1. There is a default gateway on eth0:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.2.1 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth1
I need to set up rules with iptables to proxy all incoming traffic on eth1 to 10.0.1.1.
Note that eth0 is associated with a static IP address 10.0.2.2 while eth1 is dynamic.
There is a guide on port forwarding with netfilter that explains how to do this in a slightly simpler setup, but I can't figure out how to go from their example to mine.

Building upon the link you supplied, with the exception of using the conntrack module rather than the state module:
# Activate forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp -i eth1 -j DNAT --to-destination 10.0.1.1
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d 10.0.1.1 -j SNAT --to-source 10.0.2.2
# Allow forwarded packets
iptables -A FORWARD -p tcp -d 10.0.1.1 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED
In order to disable reverse path filtering in the kernel, follow the steps described here. I think that in your case, modifying the value of net.ipv4.conf.eth1.rp_filter to 0 via sysctl would suffice.
Note that this workaround is a bit of a security hole. A better approach would be to change the network structure itself.

TFTP-Server with different instances

I'm trying to create an tftp server for multiple sites. The server have just one ip address (10.10.1.69), but have to handle more than one tftp "instance".
At the moment I've installed atftpd with two services in rlinetd an two seperated ports (6901 / 6902).
My phones are looking at port 69 (unchangeble). Those from site A (10.10.40.0/24) and those from site B (10.10.41.0/24).
How can I split this udp traffic reffering to the source-ip-range to one or the other port?
Thanks in advance

Solution found ... via iptables.
iptables -t nat -A PREROUTING --src 10.10.40.0/24 -i eth0 -p udp --dport 69 -j REDIRECT --to-port 6901
iptables -t nat -A PREROUTING --src 10.10.41.0/24 -i eth0 -p udp --dport 69 -j REDIRECT --to-port 6902
Thanks for listening ;)