|
IP Forwading ( how to with Iptables ) ?
We are stuck big time with IP forwarding where we have to use IP tables. Any advice will be appreciated.
Setup Machine A --> Machine B -->Machine C - Machine A connects with Machine B on "internal network" - Machine B has 2 NIC (and two IP address) , one connected to Machine A (internal network) and one connected to Machine C (External Network) We need all traffic coming from Machine A which flows to Machine B on port 60 to be directed/forwaded to Machine C (port 60). Not allowed to configure Machine B as a gateway . Things work with rinetd program when we do a tcp redirect from Machine B port 60 to Machine C (port 60). But just unable to make it work with IP tables rules. We tried following,but in vain iptables -t nat -A PREROUTING -s Machine_A -d Machine_C -p tcp --dport 60 -j DNAT --to-destination Machine_C .6:60 /sbin/iptables -A FORWARD -i Machine_B -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT Any valued inputs? |
Could you explain where Machine C is? What is between B and C because it looks like you can use forwarding instead instead of NAT.
|
Code:
/sbin/iptables -A FORWARD -i Machine_B -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTCode:
/sbin/iptables -A FORWARD -i Machine_A -o Machine_C -p tcp --dport 60 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
>>What is between B and C because it looks like you can use forwarding instead instead of NAT.
Setup for Clarity: Machine A IP address: i.i.i.1 Machine B has 2 IP Internal IP: i.i.i.2 (on another NIC) External IP: x.x.x.1 (on one NIC) Machine C IP address: x.x.x.2 Machine B and Machine C are in the same network (intranet) where Machine B can connect to Machine C only via its external IP (x.x.x.x) Machine B and Machine A are in internal privatenetwork where Machine B can connect to Machine A only via its internal IP (i.i.i.i) Machine A <i.i.i.1> <--> Machine B (i.i.i.2>:60 <---> Machine B <x.x.x.1> <---> Machine C <x.x.x.2>:60 Basically forward auditd log from Machine A in internal network to auditd (port 60) on Machine C on external network via Machine A. We tried the rinetd equivalent rules given below,but in vain. http://www.debian-administration.org/articles/595 YourIP= i.i.i.1 YourPort=60 TargetIP=x.x.x.2 TargetPort=60 iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT \ --to-destination $TargetIP:$TargetPort iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT \ --to-source $YourIP iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT \ --to-destination $TargetIP:$TargetPort Any Advice ? |
Following is what worked for me- for others benefit
Step 1: n/w interface of internal IP i.i.i.2 ( say data0) should be able to send data to External server (MAchine C) via its external IP ( x.x.x.1 whoes n/w interface = ethX0); making sure that the External Server should not be able to contact management node's internal IP) So we need to make sure that on Machine B the two NIC card are configured such that all data from internal NIC(data0) can be forwarded outside via external NIC (ethX0) Flush out iptables and Run the following on Machine B # Always accept loopback traffic iptables -A INPUT -i lo -j ACCEPT # Allow established connections, and those not coming from the outside iptables -A INPUT -m state --state NEW -i ! ethX0 -j ACCEPT / * make sure this rule does not screw up contacting the management GUI from outside world */ iptables -A FORWARD -i ethX0 -o data0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections from the Management node internal IP(interface = data0) iptables -A FORWARD -i data0 -o ethX0 -j ACCEPT # Masquerade. iptables -t nat -A POSTROUTING -o ethX0 -j MASQUERADE # Don't forward from the outside to the inside. iptables -A FORWARD -i ethX0 -o ethX0 -j REJECT # Enable routing. echo 1 > /proc/sys/net/ipv4/ip_forward How to make sure the above worked: ping -I <Machine B internal IP> <IP of Machine C which is a external audit Server> Machine B internal IP = i.i.i.2 Machine C IP = x.x.x.2 eg: ping -I i.i.i.2 x.x.x.2 <<This will work only on successfully execution of above rule>> When this works you are now sure that packets relayed to management internal IP can be forwarded to external IP To make sure that external world cannot ping management node internal IP ensure the following Go to x.x.x.2 and ping i.i.i.2.If its unable to ping , we are safe. Step 2 Forward auditd logs being sent by Machine A ( via audisp) to Machine B internal IP address ( n/w interface = data0) and predefined port to external auditd server (Machine C) and its port 60. Machine B node internal IP = i.i.i.2 ,Port = 6333 (you can take any port as configured for audisp on Machine A) IP of external audit Server (Machine C) = x.x.x.2, Port = 60 Run the below on Machine B iptables -t nat -A PREROUTING --dst i.i.i.2 -p tcp --dport 6333 -j DNAT --to-destination x.x.x.2:60 iptables -t nat -A POSTROUTING -p tcp --dst x.x.x.2 --dport 60 -j SNAT --to-source i.i.i.2 iptables -t nat -A OUTPUT --dst i.i.i.2 -p tcp --dport 6333 -j DNAT --to-destination x.x.x.2:60 This makes the following setup work - where Machine B has two IP address one internal network and one external network Machine A <i.i.i.1> <--> Machine B (i.i.i.2>:6333 <---> Machine C <x.x.x.2>:60 How to make sure the above worked for audit log forwarding from Machine A on internal network to Machine C on external network 1. Restart auditd on Machine A (service auditd restart) 2. On Machine A , Make sure in /var/log/messages (tail -f /var/log/messages) you see comments like "audisp-remote: Connected to i.i.i.2", which indicates that the audisp on storage node was able to connect to management node on given port 3. auditctl -m "AUDITLOG : Message from Machine A" 4. Check in /var/log/audit/audit.log for the above entry on Machine C |
| All times are GMT -5. The time now is 07:11 PM. |