Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following. I would appreciate it if someone could validate if this is indeed what I need to be doing.
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
I think it's a bad idea to allow all outbound packets in state NEW. That is, unless that's your intention. Are these forwarded packets going to a client or a server? Or perhaps a client that will be running certain daemons? I'd start out with something like this (example):
Code:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${ext_interface} -o ${int_interface} -d ${int_ip} \
-p TCP --dport 5700:6890 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i ${int_interface} -o ${ext_interface} -s ${int_ip} \
-p TCP -m multiport --dports 443,80,21 -m state --state NEW -j ACCEPT
...then tighten/loosen the restrictions as desired. In this example ports 5700-6890/TCP are forwarded to the internal host, while said host is only allowed to start outbound connections to the standard HTTPS, HTTP, and FTP ports.
For my 1:1 NAT feature, should I be using the PREROUTING/POSTROUTING sample I posted, or use the original FORWARD sample?
You need both. Your PRE/POSTROUTING looks good, but your FORWARD needs work. I just re-read your post and it seems you're working with two different external IPs. Is that correct? Please elaborate. Also, please explain what outbound packet restrictions you want.
I am working with only "one" external IP. Essentially, I want to achieve the following ...
1. Have rules in my router, which forward all traffic from my public ip (from all ports), to a private ip which is hidden to the external world (but visible to my router)
2. Have rules in my router, which forward traffic from "specific port range" for my public ip, to a private up which is hidden to the external world (but visible to my router)
I do not think I have any restrictions for the outbound packets, except that all public ips should be pingable from this private ip via my router.
Also, when I try and program the prerouting/postrouting part, I do not see the rules in my iptables. Is there any step I miss here?
I am working with only "one" external IP. Essentially, I want to achieve the following ...
1. Have rules in my router, which forward all traffic from my public ip (from all ports), to a private ip which is hidden to the external world (but visible to my router)
2. Have rules in my router, which forward traffic from "specific port range" for my public ip, to a private up which is hidden to the external world (but visible to my router)
Okay, but these two requirements aren't compatible. I mean, if you only want to forward a "specific port range", then you aren't gonna be forwarding "all traffic from my public ip (from all ports)". That's why it sounds like you've got more than one external IP. So if you only have one, you need to decide which of the above you want to achieve.
Quote:
I do not think I have any restrictions for the outbound packets, except that all public ips should be pingable from this private ip via my router.
Okay. After your next reply I think we should be able to offer you some iptables commands.
Quote:
Also, when I try and program the prerouting/postrouting part, I do not see the rules in my iptables. Is there any step I miss here?
Are you specifying that you wish to see the NAT table? Example:
Ok, I am sorry I was not clear, but I provide an option to the user to either give me a port range and a source and destination ip, or just a source and destination ip. Both these count towards my 1-1 NAT user-cases. These are 2 separate cases based on what the user decides to do.
I agree that it might not be possible to do this in 1 command, but I can have branching in my code to make separate calls for either case. How would I go about programming my rules, given this information?
Ok, I am sorry I was not clear, but I provide an option to the user to either give me a port range and a source and destination ip, or just a source and destination ip. Both these count towards my 1-1 NAT user-cases. These are 2 separate cases based on what the user decides to do.
OIC, yeah, that makes sense now.
Quote:
I agree that it might not be possible to do this in 1 command, but I can have branching in my code to make separate calls for either case. How would I go about programming my rules, given this information?
For the first case, you could do:
Code:
iptables -t nat -A PREROUTING -i ${ext_interface} -d ${ext_ip} \
-j DNAT --to-destination ${int_ip}
iptables -t nat -A POSTROUTING -o ${ext_interface} -s ${int_ip} \
-j SNAT --to-source ${ext_ip}
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${ext_interface} -o ${int_interface} -d ${int_ip} \
-m state --state NEW -j ACCEPT
iptables -A FORWARD -i ${int_interface} -o ${ext_interface} -s ${int_ip} \
-m state --state NEW -j ACCEPT
For the second case, you could do:
Code:
iptables -t nat -A PREROUTING -i ${ext_interface} -d ${ext_ip} \
-p TCP --dport ${start_port}:${end_port} \
-j DNAT --to-destination ${int_ip}
iptables -t nat -A POSTROUTING -o ${ext_interface} -s ${int_ip} \
-j SNAT --to-source ${ext_ip}
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${ext_interface} -o ${int_interface} -d ${int_ip} \
-p TCP --dport ${start_port}:${end_port} -m state --state NEW -j ACCEPT
iptables -A FORWARD -i ${int_interface} -o ${ext_interface} -s ${int_ip} \
-m state --state NEW -j ACCEPT
In the second case, you might want to turn the protocol match into a variable also, in case you're letting the user select between TCP and UDP.
Hi, I tried to program the iptable and then run a simple test of trying to ssh the guest vm (and the guest ip i have), via my public ip. (for thr 1-1 NAT case -- all ports)
iptables -t nat -A PREROUTING -i eth2 -d $publicIp -j DNAT --to-destination $guestIp
iptables -t nat -A POSTROUTING -o $eth2 -s $guestIp -j SNAT --to-source $publicIp
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $eth2 -o $eth1 -d $guestIp -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $eth1 -o $eth2 -s $guestIp -m state --state NEW -j ACCEPT
Then, I tried something like:
aj@aj-laptop:~$ ssh root@192.168.30.43
ssh: connect to host 192.168.30.43 port 22: Connection timed out
aj@aj-laptop:~$
I am not really sure as to how to go about debugging this issue. I assume if everything worked fine, I should have been able to ssh into the machine via it's guest ip (10.1.1.2), accessed via the public ip
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.