LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables subnet traffic masquerade work but prerouting end in 111: connection refused (https://www.linuxquestions.org/questions/linux-networking-3/iptables-subnet-traffic-masquerade-work-but-prerouting-end-in-111-connection-refused-4175658973/)

g1thub 08-11-2019 12:59 PM
iptables subnet traffic masquerade work but prerouting end in 111: connection refused
 
Dear friendly community, after searching for hours and tries over days (im no expert at all)
i decided to ask here so i hope anyone can help with this issue.

I setup a dhcp server to give a second device access to my internet connection.
On my host machine I'm connected to a socks server, which I'm able to use with the following iptables rules:

sudo iptables -t nat -N REDSOCKS
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345

sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDSOCKS

so after enabling this rule all host traffic to :80 goes through the socks

only the follwing rule makes the client of the subnet reaching the inet:

sudo iptables -A POSTROUTING -t nat -j MASQUERADE

the problem with these rule is that the traffic of the subnet client is never going through the socks on the host machine , while request from the host itself use the socks connection and get redirected.

i tried the rule below, which makes the network for the subnet client unreachable

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDSOCKS

I'm no iptables expert but i tried to handle this over dnat & snat,
i believe it has something to do with these MASQUERADE

but at all it looks like the requests are going outside but the answer isn't reaching my subnet client. (i checked these issue with [apt install] ngrep)

I already tried to fix this issue over setup a vpn on my host machine and connect the client to it, but the only success was to reach the inet without the MASQUERADE rule while i still dont use the socks for outgoing connection on the client machine and all traffic from the host direct goes over the socks

i dont have to add forward rules to iptables when i used

/etc/sysctl.conf
net.ipv4.ip_forward=1

sysctl -w net.ipv4.ip_forward=1

or do i have to enable forward for the resocks chain as well?

what about: iptables -I FORWARD?

the problem is i can see without MASQUERADE the request from the subnet client over ngrep leaving my host interface to the destination and receive an answer but
these never reaches my subnet client and is never going over the socks, only when i use the MASQUERADE rule the request come through without going over the socks on the host machine

i rly hope someone greater than me is able to teach me about my retardation relating to iptables :D

pingu_penguin 08-21-2019 09:32 AM
Quote:
sudo iptables -t nat -A REDSOCKS -p tcp -j REDIRECT --to-ports 12345
If I am correct , this is transparent port redirection towards the SOCKS server, to the port on which its listening.

I would simplify it with :

# iptables -t nat -A POSTROUTING -o (your_internet_interface) -j MASQUERADE (shares the internet connection)
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 12345

I really don't find the need to specify a new custom chain if your output policy is accept.

Give it a try and let us know.


All times are GMT -5. The time now is 11:55 AM.