I'm trying to create an tftp server for multiple sites. The server have just one ip address (10.10.1.69), but have to handle more than one tftp "instance".
At the moment I've installed atftpd with two services in rlinetd an two seperated ports (6901 / 6902).
My phones are looking at port 69 (unchangeble). Those from site A (10.10.40.0/24) and those from site B (10.10.41.0/24).
How can I split this udp traffic reffering to the source-ip-range to one or the other port?
Thanks in advance
Solution found ... via iptables.
iptables -t nat -A PREROUTING --src 10.10.40.0/24 -i eth0 -p udp --dport 69 -j REDIRECT --to-port 6901
iptables -t nat -A PREROUTING --src 10.10.41.0/24 -i eth0 -p udp --dport 69 -j REDIRECT --to-port 6902
Thanks for listening ;)
Related
I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200
i would like to route all http/https/other ports traffic which is coming from pc1 to pc2, pc2 should route that to an external proxy that I would like to be able to set at pc2.
my current config is:
pc1 (eth0 / 192.168.0.1, Gateway: 192.168.0.2) -> pc2 (eth0 / 192.168.0.2)
pc2 has to nics, eth0 and eth1. eth1 is the WAN connection.
in summary, eth1 #pc2 should be able to route incoming traffic from eth0 to a proxy server.
what I've tried:
sysctl -w net.ipv4.conf.all.forwarding=1
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -o eth1 --dport 80 -j DNAT --to proxy:3128
i'm able to ping pc2, but that was it unfortunately already. I'm new with iptables, thanks for your help.
There is a guide about setting up a transparent proxy with squid that seems like it might have some useful information. It seems to have some different methods that could be adapted to solve your problem.
Most OS distributions also have guides and tutorials for using iptables and routing as well as the particular semantics for your OS of choice. I have used the guides with Ubuntu help and CentOS in the past and they were very helpful when I was first learning to use iptables.
I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.
She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !
I am trying to setup a cloud server as a gateway, which forwards all traffic to my second cloud server. The problem is that the destination server (2nd cloud) only sees the IP address of the first cloud server.
Is it possible to keep the source IP so it would show the IP address of the one connecting to the first cloud server. I have tried removing MASQUERADE, but the connection between cloud #1 -> cloud #2 did not work properly anymore.
-A FORWARD -p tcp -m tcp --dport 25565 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25565 -j DNAT --to-destination DESTINATIONIP:PORT
-A POSTROUTING -j MASQUERADE
It works with this setup, but does not show the source IP. Have you got any idea on how to not hide the IP that is connecting to the first cloud server?
Thanks
cloud 1 and 2 need to be in same network, a VPN is fine
on cloud1:
-A FORWARD -p tcp -m tcp --dport 25565 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 25565 -j DNAT --to-destination DESTINATIONIP:PORT
-A POSTROUTING -j MASQUERADE
on cloud2, we mark the desired packet with 1, eth0 is the default gateway:
iptables -t mangle -A OUTPUT -o eth0 -p tcp --sport 25565 -j MARK --set-mark 1
you need to manipulate the routing table on cloud2:
edit /etc/iproute2/rt_tables, add the line
1 http
here the manipulation, tun0 is the vpn interface on cloud2:
ip route add default via ip_vpn_cloud1 dev tun0 table http
ip rule add from all fwmark 1 table http
be sure that net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter are set to 1 in /etc/sysctl.conf
With -A POSTROUTING -j MASQUERADE all outgoing forwarded packets will have the source IP of the corresponding outgoing interface.
You should be more specific on the packets you masquerade/SNAT.
I like to create a simple captive portal that works for an interface that is part of a bridge.
The bridge interface br0 (10.19.1.1/16) consists of two interfaces eth0 and eth1.
Behind eth1 are the client computers. Behind eth0 is a switch that has the internet gateway connected to.
For the captive portal, all tcp requests to port 80 coming from the clients behind eth1 need to be directed the local web server.
The following lines seem to work as the website request are redirected to the local web server. The problem is that once the authentication line below is used, the client cannot load any regular websites anymore.
I have already searched the internet but haven't found a solution.
PORTAL_INT="eth1"
PORTAL_IP="10.19.1.1"
#'drop' packets from being bridged
ebtables -t broute -A BROUTING -i $PORTAL_INT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
#authenticated
#iptables -t mangle -I internet 1 -m mac --mac-source $CLIENT_MAC -j RETURN
#mark all traffic
iptables -t mangle -A internet -j MARK --set-mark 99
#redirect website access
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $PORTAL_IP
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP