I want to mangle packets by redirecting them to the NFQUEUE target, but at the same time, I want to mark them in the same chain which is the PREROUTING Chain.
To redirect packets to the NFQUEUE target I use:
iptables -t mangle -A PREROUTING -j NFQUEUE --queue-num 0
To mark packets value I use (here icmp is just an example):
iptables -t mangle -A PREROUTING -p icmp -j MARK --set-mark 1
Is there any way to do both manipulations at the same time?
any help would be very appreciated!
Thank you!
To solve my problem I used the raw table (which is used in principal to mark packets) to redirect packets and the mangle table to mark them:
iptables -t raw -A PREROUTING -j NFQUEUE --queue-num 0
Related
I have a VPS under nat so my incoming packets arrive destined to a private address instead of public one ( I cannot change that with the provider ) ,
I also have a service that apply routing rules in iptables PREROUTING ( kubernetes )
what I need is to "fix" the ip address of incoming packet so the routing loging works correctly with the public ip ( changing this to use the private ip breaks other parts of the software on higher level )
as an example what I need is that the packet receive a change in destination ( DNAT ) then also pass further PREROUTING rules
ie:
iptables -t nat -I PREROUTING 1 -d $PRIVATE_IP -j DNAT --to-destination $PUBLIC_IP
iptables -t nat -I PREROUTING 2 -d $PUBLIC_IP -j $ROUTING_TABLE
iptables -t nat -I PREROUTING 3 -d $PUBLIC_IP -j LOG --log-prefix "LOG PREROUTING " --log-level 7 -m comment --comment " this never happens :( "
but both rules 2 and 3 never gets triggered.. there is a way to achieve that ? even out of iptables if you know how..
Thank you,
Francesco
I want the following rules to forward tcp packets
from 127.0.0.1:32770 to 172.17.0.36:1000
and forward packets from 127.0.0.1:32771 to 172.17.0.36:10001
and forward packets from 127.0.0.1:32772 to 172.17.0.36:10002
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002
But currently it can forward all packets from 127.0.0.1:32770-32771 to any one of 172.17.0.36:1000-1002
I've struggled a lot to find this and finally found a solution that absolutely works, the command in your case would be:
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002/32770
Here, 32770 is the base-port, and the mapping will start from there, for example:
32770 -> 172.17.0.36:1000
32771 -> 172.17.0.36:1001
Now, let's say the incoming range and outgoing range are not equal:
iptables -t nat -I PREROUTING -p tcp --dport 30000:30199 -j DNAT --to 10.1.1.1:40000-40099/30000
In the above case, the DNAT mapping will round itself like this:
30000 -> 10.1.1.1:40000
30001 -> 10.1.1.1:40001
...
30099 -> 10.1.1.1:40099
30100 -> 10.1.1.1:40000
30101 -> 10.1.1.1:40001
...
30199 -> 10.1.1.1:40099
The support for base-port based 1:1 port mapping in DNAT was added in 2018.
Please refer below link:
http://git.netfilter.org/iptables/commit/?id=36976c4b54061b0147d56892ac9d402dae3069df
I have seen this working in Linux kernel 4.19 and above.
I want to mirror specific traffic to ip 192.168.200.1
I use the following solution:
Mirror Port via iptables
However, when I enter following command, this error occurs:
iptables –I PREROUTING -t mangle -j ROUTE --gw 192.168.200.1 --tee
iptables v1.4.12: unknown option "--gw"
When I replace "--gw" with "-gateway", like this:
iptables –I PREROUTING -t mangle -j ROUTE -gateway 192.168.200.1 --tee
this error occur:
iptables v1.4.12:multiple -j flag not allowed
Why is this?
Try:
iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.200.1
For that version of iptables -j ROUTE doesn't work.
I like to create a simple captive portal that works for an interface that is part of a bridge.
The bridge interface br0 (10.19.1.1/16) consists of two interfaces eth0 and eth1.
Behind eth1 are the client computers. Behind eth0 is a switch that has the internet gateway connected to.
For the captive portal, all tcp requests to port 80 coming from the clients behind eth1 need to be directed the local web server.
The following lines seem to work as the website request are redirected to the local web server. The problem is that once the authentication line below is used, the client cannot load any regular websites anymore.
I have already searched the internet but haven't found a solution.
PORTAL_INT="eth1"
PORTAL_IP="10.19.1.1"
#'drop' packets from being bridged
ebtables -t broute -A BROUTING -i $PORTAL_INT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
#authenticated
#iptables -t mangle -I internet 1 -m mac --mac-source $CLIENT_MAC -j RETURN
#mark all traffic
iptables -t mangle -A internet -j MARK --set-mark 99
#redirect website access
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $PORTAL_IP
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP
I am using the following iptables script to redirect packets on port 443 to a proxy server:
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2
I am redirecting it to my proxy server later on, which is working. For one host, however, I need to remove the iptables mark (i.e. the packets will not be redirected.) I tried the following:
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j ACCEPT
I have also tried (attempting to rewrite the mark to a different number):
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j MARK --set-mark 1
However none of them are working. Is there a --remove-mark? I couldn't find anything on Google.
Any help would be appreciated.
When using the MARK target, the mark is a added as a bitmask. If you check in the documentation, there's an optional [/mask] for the mark.
So use "--set-mark 0/2" to remove 2.
I figured it out. I used the following:
iptables -t mangle -A PREROUTING -p tcp ! -s 192.168.0.47 --dport 443 -j MARK --set-mark 2
To mark it so it doesn't mark the host in the first place.