What I am trying to Achieve:
Test/Configure All NAT Scenarios(Full Cone,Port Restricted etc) by (1) .using iptables (2) ethernet interface (3) loopback interface (Using only one machine)
Set Up following configuration :
I am running one VM in a Linux BOX, and performed following configuration :
Linux BOX IP is : 192.168.0.4
Linux Box Virtual Box Gateway IP is : 192.168.56.1
Running Stun Server Binded on : 192.168.56.1 (Primary) and 192.168.0.4 (Secondary) on Linux Box
Running Stun Client on VM(Running on above Linux Server) at 127.0.0.1:2000 , and configured iptables rules to forward loopback interface traffic to ethernet interface (192.168.56.102) and vice versa.
Expected Result
I should be able to configure each NAT Simulation via iptables/ethernet/loopback interface on which STUN Server running on Host and Stun Client running on VM, and it should tell the type of NAT
Actual Result
iptables doing nothing with the packets in/out to loopback interface
socket sendto call fails with error : "error 22 invalid arguement" because socket has bind with 127.0.0.1:2000 and destination address is : 192.168.56.1
See below in short
[Loopback-Interface(127.0.0.1 :2000 / *Running STUN Client*/ VM) -->[*IPTABLES RULES TO/FROM*] <-- Ethernet-Interface(VM -- 192.168.56.102:2000) ==>|| ==> HOST(Gateway - 192.168.56.1:3478 - *Running STUN Server*)] ::
Examples Rules ::
sudo iptables -t nat -A POSTROUTING -o eth0 -p udp --source 127.0.0.1 --sport 2000 -j SNAT --to-source 192.168.56.102
sudo iptables -t nat -A POSTROUTING -o eth0 -p tcp --source 127.0.0.1 --sport 2001 -j SNAT --to-source 192.168.56.102
sudo iptables -t nat -A PREROUTING -i eth0 -p udp --destination 192.168.56.102 --dport 2000 -j DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --destination 192.168.56.102 --dport 2000 -j DNAT --to-destination 127.0.0.1
It Seems iptables doesn't pick packets from loopback interface
References : http://www.linuxquestions.org/questions/linux-networking-3/iptables-redirect-127-0-0-1-to-192-168-1-113-a-818817/
Please let me know if any body can help on this.
Related
I have an AWS ubuntu instance with the following network interfaces:
ens5, ip: 172.XX.XX.XX
A5TAP, ip:192.168.233.1 (VPN)
How do I udp port forward port 10000-10200 to 192.168.233.52:10000-10200?
I tried a the obvious commands below for a single port 10009, but it is not working:
sudo iptables -t nat -A PREROUTING -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
sudo iptables -t nat -A POSTROUTING -p udp -d 192.168.233.52 --dport 10009 -j SNAT --to-source 172.XX.XX.XX
sudo iptables -t nat -L -n
=======What I tried so far:
I am trying to port forward port 10009 all udp traffic to ens5, to 192.168.233.52 in A5TAP:
172.XX.XX.XX:10009 -> 192.168.233.52:10009
The udp stream is a video stream.
I followed this tutorial, but it is not working. As when I shoot the udp stream to 172.XX.XX.XX:10009, no video is showing.
If I do sudo tcpdump -i ens5 -n udp port 10009:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens5, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:51.035226 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 1400
14:08:51.035703 IP 59.XXX.XXX.XXX.46696 > 172.XX.XX.XX.10009: UDP, length 510
(and so on....)
That means my AWS instance is receiving the video stream from my machine.
But when I do sudo tcpdump -i A5TAP -n udp port 10009, there are no traffics.
If I joined the machine with video stream to A5TAP VPN, and send udp stream to 192.168.233.52:10009, I can see the stream.
Thanks to maxstr's answer, the port forwarding between interfaces in the same machine worked:
sudo tcpdump -i A5TAP -n udp port 10009:
07:45:53.701800 IP 192.168.233.1.49538 > 192.168.233.52.10009: UDP, length 700
I believe what you want is the following:
sudo iptables -t nat -A OUTPUT -p udp --dport 10009 -j DNAT --to-destination 192.168.233.52:10009
because the PREROUTING chain will not be in the path of local outbound traffic. OUTPUT will.
I need to set up access to the HTTP(S) servers on devices like KVMs and PDUs on a private network (192.168.0.0/24). I must get through an isolated network (10.0.0.0/8) limited to ports 22 and 443. I have a dual-NIC Linux server inside the network that serves as a gateway to the private network. See diagram Here:
Network Diagram
I need to use a forward SSH tunnel to get to the Linux gateway, then use iptables NAT to route HTTP(s) traffic to the web frontends on the devices.
I've observed with both tcpdump and iptables trace that the inbound HTTP(s) request through the SSH tunnel shows up on interface lo , not eth1 as one might expect.
This has led me to come up with the following nat and filter rules:
*nat
-A PREROUTING -i lo -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
-A PREROUTING -i lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 192.168.0.101:443
-A POSTROUTING -d 10.0.0.0/8 -o lo -j SNAT --to-source <10.gateway_IP>
COMMIT
*filter
:INPUT ACCEPT [37234:5557621]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26648:27864039]
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
So, when I set up the tunnel with:
ssh -L 8080:<gateway>:8080 <user>:#<gateway>
Then making sure on the gateway:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
and then execute http://localhost:8080,
The packets make it out of the tunnel onto the gateway, out of interface lo, but iptables doesn't seem to forward it to the destination in the PREROUTING rule. stderr from the tunnel returns "Connection refused."
What am I missing?
I am running ubuntu 16.0.4 as a wifi hotspot and to share a vpn connection.
eth0 is on subnet 10.10.10.x
tun0 is on subnet 10.9.0.x
wlan0 is on subnet 10.10.11.x
I am able to share the vpn connection with the following rule...
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
... so any wired devices using the ubuntu box as its gateway can share the vpn.
I am also forwarding all traffic on the wireless interface through the vpn and allowing returning traffic with the following...
iptables -A FORWARD -i tun0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o tun0 -j ACCEPT
So far, so good.
But, I want all traffic on port 32400 to be forwarded to eth0 instead, specifically IP 10.10.10.20 (and of course, allow return traffic).
With my current setup, my wireless connections on wlan0 can not see the subnet of eth0.
How can I achieve this? I am fine with either forwarding all traffic on port 32400... or forwarding everything for a single IP(e.g. 10.10.11.200 on wlan0) to 10.10.10.20(eth0).
I've tried both the port forwarding and the IP forwarding but cant't seem to get either working as I'm not sure of the method nor the correct syntax.
Thanks in advance for advice.
These rules should do the trick, assuming destination port is the same 32400 (but I'm not sure about the order refering to other your rules)
iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 10.10.10.20:32400
iptables -t nat -A POSTROUTING -p tcp -d 10.10.10.20 --dport 32400 -j SNAT --to-source 10.10.11.200
This machine has two interfaces eth0 and eth1. There is a default gateway on eth0:
Destination Gateway Genmask Flags Metric Ref Use Iface
default 10.0.2.1 0.0.0.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth1
I need to set up rules with iptables to proxy all incoming traffic on eth1 to 10.0.1.1.
Note that eth0 is associated with a static IP address 10.0.2.2 while eth1 is dynamic.
There is a guide on port forwarding with netfilter that explains how to do this in a slightly simpler setup, but I can't figure out how to go from their example to mine.
Building upon the link you supplied, with the exception of using the conntrack module rather than the state module:
# Activate forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward packets coming in from the outside
iptables -t nat -A PREROUTING -p tcp -i eth1 -j DNAT --to-destination 10.0.1.1
# Make responses on the internal network go through the firewall
iptables -t nat -A POSTROUTING -p tcp -d 10.0.1.1 -j SNAT --to-source 10.0.2.2
# Allow forwarded packets
iptables -A FORWARD -p tcp -d 10.0.1.1 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED
In order to disable reverse path filtering in the kernel, follow the steps described here. I think that in your case, modifying the value of net.ipv4.conf.eth1.rp_filter to 0 via sysctl would suffice.
Note that this workaround is a bit of a security hole. A better approach would be to change the network structure itself.
I have installed Seafile-server 3.0.4 64bit on a Ubuntu-server 14.04 with default ports settings (i.e. 8000, 8082, 10001, 12001) but fail to access the instance with the client.
Infrastructure
The Ubuntu-server is running as a KVM machine on a Gentoo host.
Iptables rules
After some time I add the following Iptables rules to the host machine (gentoo), that seems to match the Seafile's requirements:
#Iptables-Rules for Seafile
iptables -A INPUT -p tcp -m multiport --dports 8000,8082,10001,12001 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A output -p tcp -m multiport --sports 8000,8082,10001,12001 -m state --state ESTABLISHED -j ACCEPT
However I'm still unable to connect even with telnet to the seafile-server either from Internet or the host machine.
Update: issue might be related to fail2ban
As I'm using NAT to link my virtual machine to my host, I had to edit the rules as follow to get it to work:
#Iptables-Rules for Seafile
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10001 -j DNAT --to 192.168.8.8:10001
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 12001 -j DNAT --to 192.168.8.8:12001
References
Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals