how to set iptables?

624867243@qq.com · 11-29-2015, 11:58 PM

Server A have two Network Interface Card. eth0 is 58.61.48.159, eth1 is 192.168.2.2/24
Server B have one Network Interface Card,eth0 is 192.168.2.34/24.
Server A and Server B is in Lan.

I want packets from 113.118.110.250 with dport 13306 will be rewritten to 192.168.2.34:3306.
other packets with dport 13306 will be dropped.

here is my iptables,it is port Mappings,I want 113.118.110.250 can access 58.61.48.159's 13306,and other ip can not access 13306,
how to set it?
I try to limit in input chain ,but failed.

Code:

# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE

-A PREROUTING -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
-A POSTROUTING -d 192.168.2.34 -p tcp -m tcp --dport 3306 -j SNAT --to-source 58.61.48.159

COMMIT

# Completed on Sat Nov 28 13:29:40 2015
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:14800]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
##ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

# -A INPUT --dport 13306:13306 -j DROP
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
#-A INPUT  -s 113.118.110.250/32 -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT

######################
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sat Nov 28 13:29:40 2015

berndbausch · 11-30-2015, 12:47 AM

I suppose the rules are OK, but they are definitely not in the right order. A packet goes from rule to rule until there is a match. All packets with port 13306 will match the DROP rule, so they will be dropped and processing ends.
Solution: Move the DROP rule after the ACCEPT rules.

Also, --dport doesn't require a range; a single number is sufficient.

624867243@qq.com · 11-30-2015, 01:09 AM

Quote:

Originally Posted by berndbausch

I suppose the rules are OK, but they are definitely not in the right order. A packet goes from rule to rule until there is a match. All packets with port 13306 will match the DROP rule, so they will be dropped and processing ends.
Solution: Move the DROP rule after the ACCEPT rules.

Also, --dport doesn't require a range; a single number is sufficient.

like this?

Code:

# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE

-A PREROUTING -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
-A POSTROUTING -d 192.168.2.34 -p tcp -m tcp --dport 3306 -j SNAT --to-source 58.61.48.159
##
-A PREROUTING -s 113.118.110.250 -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306

COMMIT

# Completed on Sat Nov 28 13:29:40 2015
# Generated by iptables-save v1.4.7 on Sat Nov 28 13:29:40 2015

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [134:14800]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
##ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 

# -A INPUT --dport 13306:13306 -j DROP
#-A INPUT -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT

#-A INPUT  -s 113.118.110.250/32 -m state --state NEW -m tcp -p tcp --dport 13306 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 13306 -j DROP

######################
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Sat Nov 28 13:29:40 2015

berndbausch · 11-30-2015, 01:57 AM

Ooops, I hadn't seen the NAT table rules. A packet comes in and will first go into the PREROUTING chain. If its destination port is 13306, the destination is rewritten to be 192.168.2.34:3306. I think this means it won't even to into the INPUT chain (except if 192.168.2.34 is the present system).

Whether it enters the INPUT chain or not, none of the 13306 rules in the INPUT chain will ever match.

It's not clear to me what you want to achieve. Can you confirm it's this:

packets from 113.118.110.250 with dport 13306 will be rewritten to 58.61.48.159:3306
other packets with dport 13306 will be dropped

Correct?

If so, I don't understand the DNAT to 192.168.2.34.
Also, packets will only go through the second POSTROUTING rule if they exit via a different interface than eth0.

624867243@qq.com · 11-30-2015, 02:29 AM

Quote:

Originally Posted by berndbausch

Ooops, I hadn't seen the NAT table rules. A packet comes in and will first go into the PREROUTING chain. If its destination port is 13306, the destination is rewritten to be 192.168.2.34:3306. I think this means it won't even to into the INPUT chain (except if 192.168.2.34 is the present system).

Whether it enters the INPUT chain or not, none of the 13306 rules in the INPUT chain will ever match.

It's not clear to me what you want to achieve. Can you confirm it's this:

packets from 113.118.110.250 with dport 13306 will be rewritten to 58.61.48.159:3306
other packets with dport 13306 will be dropped

Correct?

If so, I don't understand the DNAT to 192.168.2.34.
Also, packets will only go through the second POSTROUTING rule if they exit via a different interface than eth0.

Server A have two Network Interface Card. eth0 is 58.61.48.159, eth1 is 192.168.2.2/24
Server B have one Network Interface Card,eth0 is 192.168.2.34/24.
Server A and Server B is in Lan.

I want packets from 113.118.110.250 with dport 13306 will be rewritten to 192.168.2.34:3306.
other packets with dport 13306 will be dropped.
do you understand?

berndbausch · 11-30-2015, 02:53 AM

It looks I was almost right

First, let me reveal that I am not that much of an expert with iptables. I want to learn myself.

I think what you want to achieve can be done with two rules in PREROUTING:

Code:

# rewrite destination for packets from whitelisted address. The packet will not enter INPUT.
-A PREROUTING -s 113.118.110.250/32 -m tcp -p tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
# drop anything else
-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP

Also don't forget to enable forwarding.
Since no packets with dport 13306 will enter INPUT, you don't need anything in INPUT.
Nothing in FORWARD either, I would think.
Keep the two POSTROUTING rules; I probably understand them now.

OK please try this out for me, so that I know I am right

624867243@qq.com · 11-30-2015, 02:57 AM

Quote:

Originally Posted by berndbausch

It looks I was almost right

First, let me reveal that I am not that much of an expert with iptables. I want to learn myself.

I think what you want to achieve can be done with two rules in PREROUTING:

Code:

# rewrite destination for packets from whitelisted address. The packet will not enter INPUT.
-A PREROUTING -s 113.118.110.250/32 -m tcp -p tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306
# drop anything else
-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP

Also don't forget to enable forwarding.
Since no packets with dport 13306 will enter INPUT, you don't need anything in INPUT.
Nothing in FORWARD either, I would think.
Keep the two POSTROUTING rules; I probably understand them now.

OK please try this out for me, so that I know I am right

just one rule can be ok:
-A PREROUTING -s 113.118.110.250 -p tcp -m tcp --dport 13306 -j DNAT --to-destination 192.168.2.34:3306

and

"-A PREROUTING -p tcp -m tcp --dport 13306 -j DROP " is redundant.

thank you very much!