[SOLVED] Add iptables-save/restore entry

mackowiakp · 10-05-2020, 03:50 AM

I have a QNAP NAS with several dockers and LXC containers. NAS and its dockers and LXC container are configored as bridge. That is, all are in the same network but of course with different IP addresses.
Below output from iptables-save:

Code:

[~] # iptables-save > /etc/iptables.back
[~] # cat /etc/iptables.back 
# Generated by iptables-save v1.4.21 on Mon Oct  5 10:35:50 2020
*nat
:PREROUTING ACCEPT [1108:140525]
:INPUT ACCEPT [570:74489]
:OUTPUT ACCEPT [4824:500981]
:POSTROUTING ACCEPT [5140:530691]
:DOCKER - [0:0]
:SYSDOCKER - [0:0]
:SYSNAT - [0:0]
:VPNNAT - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j SYSDOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j SYSDOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -o lxcbr0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -o docker0 -m addrtype --src-type LOCAL -j MASQUERADE
-A POSTROUTING -m mark ! --mark 0x0/0xffff -j MASQUERADE
-A POSTROUTING -j VPNNAT
-A POSTROUTING -j SYSNAT
-A SYSNAT -s 10.0.5.0/24 ! -o docker0 -j MASQUERADE
-A SYSNAT -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
COMMIT
# Completed on Mon Oct  5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 10:35:50 2020
*mangle
:PREROUTING ACCEPT [4390576:3758337958]
:INPUT ACCEPT [3945661:3476892783]
:FORWARD ACCEPT [529198:309091977]
:OUTPUT ACCEPT [3043429:1624932647]
:POSTROUTING ACCEPT [3720477:1979152288]
:CHECKHOST - [0:0]
:VPNCHECKHOST - [0:0]
:VPNCUSSETMARK - [0:0]
:VPNDEFSETMARK - [0:0]
:VPNSETMARKENTRANCE - [0:0]
:VPNTCPMSS - [0:0]
-A PREROUTING -m set --match-set VPNSET src -m set ! --match-set HOSTSET dst -j VPNSETMARKENTRANCE
-A INPUT ! -d 169.254.0.0/16 -j CHECKHOST
-A INPUT -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A OUTPUT -m set --match-set HOSTSET dst -j MARK --set-xmark 0x10000/0xf0000
-A POSTROUTING -p tcp -m mark ! --mark 0x0/0xffff -m tcp --tcp-flags SYN,RST SYN -j VPNTCPMSS
-A CHECKHOST -m set --match-set NATSET src -j MARK --set-xmark 0x10000/0xf0000
-A CHECKHOST -j VPNCHECKHOST
-A VPNCHECKHOST -m set --match-set VPNSET src -j MARK --set-xmark 0x10000/0xf0000
-A VPNCUSSETMARK -m set --match-set vpndocker0 src -j MARK --set-xmark 0x900/0xff00
-A VPNCUSSETMARK -m set --match-set vpnlxcbr0 src -j MARK --set-xmark 0xa00/0xff00
-A VPNCUSSETMARK -m set --match-set vpnqvs0 src -j MARK --set-xmark 0xb00/0xff00
-A VPNDEFSETMARK -s 10.8.0.0/24 -j MARK --set-xmark 0x80/0xff
-A VPNSETMARKENTRANCE -j VPNCUSSETMARK
-A VPNSETMARKENTRANCE -m mark --mark 0x0/0xffff -j VPNDEFSETMARK
COMMIT
# Completed on Mon Oct  5 10:35:50 2020
# Generated by iptables-save v1.4.21 on Mon Oct  5 10:35:50 2020
*filter
:INPUT ACCEPT [9676755:8727305882]
:FORWARD ACCEPT [1216873:934113200]
:OUTPUT ACCEPT [7426345:3628538832]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
:SYSDOCKER - [0:0]
:SYSDOCKER-ISOLATION - [0:0]
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j DOCKER
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A FORWARD -j SYSDOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j SYSDOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m set --match-set BRNOIPSET src,dst -j DROP
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
-A SYSDOCKER-ISOLATION -j RETURN
COMMIT
# Completed on Mon Oct  5 10:35:50 2020

The main NAS address is 192.168.0.7.
I not so experience in iptables, so please help me.
How to redirect all traffic coming to 192.168.0.7 on port 4443 to address 192.168.0.202 port 443, by modifying the file above. But dont know what to enter and in what place in this file.
After modifying the file I want to load new rules set by commands:

Code:

iptables -F
iptables-restore < /etc/iptables.back

Any help?

Fjor · 10-06-2020, 06:21 PM

There exist a lot of iptables tutorials in the net; simply search for linux iptables tutorial or linux iptables how-to. This is a very bare-bones summary:

The iptables system has several groups or "tables" that apply traffic control in diverse points of the network system. The main ones are *nat, *filter and *mangle. The rules for controlling access should be in the *filter table; rules for changing packet content are added in the *mangle table, and rules that redirect packets (changing source/destination addresses or ports) should be in the *nat table.

Each table has several rule lists or "subroutines" named "chains" ("chains of rules") for grouping logically where and when to apply the rules. For example, the *filter table has the chains INPUT, OUTPUT and FORWARD chains for controlling packets arriving to this host, exiting to another hosts or only passing thru.

The rules in any chain are processed in order of appearance. To simplify and organize the logical arrangement of rules you can create more chains (like the chains DOCKER, SYSNAT, etc. in your config).

Each rule stored in a table/chain has a selector section to indicate the values of the packet to be checked and a target section to specify the action taken if the packet data matches the selector. For example, this command APPENDS (-A) a rule in the filter/INPUT chain that checks if the arriving packet has the protocol TCP port 22 (ssh) and accepts it:

Code:

 iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

The active list of rules can be obtained using the command iptables-save and saved to a file using iptables-save > filename and restored (as you already know) with the opposite command iptables-restore < filename.

So the rules you need should be in the *nat section, that have two main chains: PREROUTING and POSTROUTING. As you need to change the destination of packets BEFORE send them where they must go, the rules should be in the PREROUTING chain.

In your case we already know the table/chain; the selector must be the arriving data 192.168.0.7 port 443 (HTTPS, this protocol is encapsulated in TCP). The target should be to change the destination address and port. So, in the *nat section you should add:

Code:

*nat
  :
-A PREROUTING -d 192.168.2.0.7 -p tcp --dport 443 -j DNAT --to-destination 192.168.0.202:443

I recommend to read the local documentation using man iptables to check the meaning of the options and how to specify them.

Good luck.

mackowiakp · 10-08-2020, 11:31 AM

Thank you very much for your answer. I know that I have gaps in knowledge about Linux, but on a daily basis I deal with databases and applications in the company.
Unfortunately, the entire IT team (8 people) is in quarantine due to COVID (2 patients). I was on vacation and I am not infected.
But now I'm alone and I have to do everything, whether I know it or not.
Hence the question of the "basic" genre. But I did as you advised and it works. Thank you again !

Fjor · 10-09-2020, 02:11 PM

I'm very glad to be useful and hope your coworkers get healthy soon. Good luck!

Fjor · 10-25-2020, 11:06 PM

You're welcome. Happy linuxing!