LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-20-2017, 05:30 AM   #1
horizn
Member
 
Registered: Jan 2015
Location: UK and Poland
Distribution: Slackware + Debian + Ubuntu
Posts: 132

Rep: Reputation: Disabled
Iptables forward external IP to local but limited for custom IPs only.


Hi,
I don't know if it possible to this in that way, but I'd like to forward external IP address to the local one (with NAT), but limit its availability for custom IP or list of IPs. So what I have done so far with success is:
Code:
iptables -A FORWARD -s 0/0 -d 192.168.x.y -j ACCEPT
iptables -A FORWARD -s 192.168.x.y -d 0/0 -j ACCEPT

iptables -t nat -A PREROUTING -s 0/0 -d 1.2.3.4 -j DNAT --to 192.168.x.y
iptables -t nat -A POSTROUTING -s 192.168.x.y -d 0/0 -j SNAT --to 1.2.3.4
So the easiest way should be replacing 0/0 with IP or list of IPs, however in my configuration I have:

Code:
for i in `cat ${0%$START_FILE}rc.fire_ip_nat | cut -d'#' -f1`
      do
        EXT_IP=`echo $i | cut -d';' -f1`
        LOCAL_IP=`echo $i | cut -d';' -f2`

        iptables -A FORWARD -s 0/0 -d $LOCAL_IP -j ACCEPT
        iptables -A FORWARD -s $LOCAL_IP -d 0/0 -j ACCEPT

        iptables -t nat -A PREROUTING -s 0/0 -d $EXT_IP -j DNAT --to $LOCAL_IP
        iptables -t nat -A POSTROUTING -s $LOCAL_IP -d 0/0 -j SNAT --to $EXT_IP
where $LOCAL_IP and $EXT_IP are defined in another configuration file to avoid repeating above rule hundreds of time, and the line for each IP looks like: 1.2.3.4;192.168.x.y
Ideally will be to add something like

Code:
for i in `cat ${0%$START_FILE}rc.fire_ip_nat | cut -d'#' -f1`
      do
        EXT_IP=`echo $i | cut -d';' -f1`
        LOCAL_IP=`echo $i | cut -d';' -f2`
        SECURE=`echo $i | cut -d';' -f3`

        if [ ! "$SECURE" == "all" ]; then
            SECURITY="-s $SECURE"
        else
            SECURITY=""
        fi

        iptables -A FORWARD -s 0/0 -d $LOCAL_IP -j ACCEPT
        iptables -A FORWARD -s $LOCAL_IP -d 0/0 -j ACCEPT

        iptables -t nat -A PREROUTING -s 0/0 -d $EXT_IP -j DNAT --to $LOCAL_IP
        iptables -t nat -A POSTROUTING -s $LOCAL_IP -d 0/0 -j SNAT --to $EXT_IP
and then modify each line in the configuration file by adding ;all or define IPs there to looks like: 1.2.3.4;192.168.x.y;5.5.5.5/32,6.6.6.6/32,12.12.12.0/24. But how to do it for both source "-s" and destination "-d"?
 
Old 12-25-2017, 07:11 PM   #2
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,136
Blog Entries: 3

Rep: Reputation: 181Reputation: 181
I believe an easier way would be to combined iptables with ipset. This way you can white list the ip addresses you want to get through without having to rewrite your firewall rules when something changes.

With ipset you could give each individual set a name and then match against it. for example say you had ssh and web that you only wanted to allow certain ip address to get to. You would first create 2 ipset DB's one for ssh and another for web;

Code:
ipset create ssh hash:ip hashsize 4096
ipset create web hash:ip hashsize 4096
Then you would add the IP Address you weant to allow through:
Code:
ipset add ssh 1.2.3.4
ipset add ssh 4.5.6.7
ipset add web 4.5.6.7
ipset add web 8.9.1.2
Then you just need to setup iptables something like this:
Code:
iptables -I PREROUTING -m tcp -p tcp --dport 22 -j ssh-allow
iptables -I PREROUTING -m tcp -p tcp --dport 80 -j web-allow
iptables -N ssh-allow
iptables -A PREROUTING -p tcp -m tcp -m set ! --match-set ssh src -j DROP
iptables -A PREROUTING -J DNAT --to #.#.#.#
iptables -N web-allow
iptables -A PREROUTING -p tcp -m tcp -m set ! --match-set web src -j DROP
iptables -A PREROUTING -J DNAT --to #.#.#.#
Now you just need to add or remove the ip addresses from the ipset db.

This is all theory off the top of my head but it should work with the proper vetting.
 
Old 12-26-2017, 01:28 PM   #3
horizn
Member
 
Registered: Jan 2015
Location: UK and Poland
Distribution: Slackware + Debian + Ubuntu
Posts: 132

Original Poster
Rep: Reputation: Disabled
I don't want make it even more complicated.
 
Old 01-01-2018, 08:01 PM   #4
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,136
Blog Entries: 3

Rep: Reputation: 181Reputation: 181
This is a perspective thing. I do not believe this makes it more complicated but actually easier as you don't need all those rules to block site/hosts you don't want to allow access to.

With my idea you don't have to touch your firewall rules just add what you want to block to the proper group in ipset and you are finished.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables rule for accept SSH connection from a specific IP and forward other IPs. hack3rcon Linux - Security 23 11-21-2017 06:14 PM
Iptables - external file of bad IPs Elomis Linux - Security 7 04-18-2013 08:04 PM
captive portal help using iptables to forward udp 53 (dns) to local nameserver slac-in-the-box Linux - Networking 0 09-07-2011 08:52 PM
Multiple External IPs with iptables tvynr Linux - Networking 11 11-08-2005 02:31 PM
Question about iptables and multiple external IPs tvynr Linux - Networking 2 10-12-2005 07:48 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration