Archive for the ‘iptables’ Category

Allowing traffic on a paricular host for a differnet network.

September 10, 2010

Consider you have two networks – 192.168.1.0/24 and 192.168.2.0/24. Both reside behind firewall ( a gateway machine actually ).Now you want to allow everyone of 192.168.2.0/24 to listen on only 192.168.1.100. The steps are –

Basically you have to apply both way traffic with iptables on the gateway machine of 192.168.1.0/24 network.

iptables -R FORWARD 1 -i eth0 -s 192.168.2.2  -d 192.168.1.100 -j ACCEPT

iptables -R FORWARD 2 -i eth1 -s 192.168.1.100 -d 192.168.2.2 -j ACCEPT

Here,

192.168.2.2 is the ip of gateway machine of 192.168 2.0/24 network.
Please make sure the correct interface ( ethN ) for in and out traffic of every host.

You can use the tcpdump command to verify the traffic flow working or not or where packets reject.

tcpdump -ni eth1 icmp

Redirecting port 80 traffic to port 8080

July 15, 2010

I open ports 80 and port 433 on my firewall.My Tomcat installation is listening at port 8080 and 8443 but to run tomcat on port 443 need root privilege. So simple solution to these is to redirect any request coming on port 80 to port 8080. Here is the trick.

iptables -A PREROUTING -t nat -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

linux box as a router

March 17, 2010

Two scenario –

1. Private – Public
2. Private – Private ( inside your LAN)

1. Private – Public

a) Assign Public IP address to the Fast Ethernet Card with the followings;

eth0
IP Address (61.5.156.1) change with your public IP address
Net Mask (Provided by the Internet service provider)
Default Gateway
Preferred DNS

b) Create a virtual IP address on this Fast Ethernet Card

Copy and paste the configuration file of the eth0 with a new name eth0:0
Assign a private IP Address like you have assigned the other computers in your local area network

eth0:0
IP Address (192.168.1.10)
Net mask (255.255.255.0)
Default Gateway (leave this blank)

c) Creating forwarding rules with iptables:

Delete and flush. Default table is “filter”. Others like “nat” must be explicitly stated.

iptables –F – Flush all the rules in filter and nat tables
iptables –t nat –F
iptables –delete-chain

Delete all chains that are not in default filter and nat table
iptables –table nat –delete-chain

# Set up IP FORWARDing and Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

d) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

e) Create a route for internal packets:

route add -net 192.168.1.0/24 gw 61.5.156.146 dev eth0

Change 61.5.156.146 with your Gateway IP Address

2. Private – Private

Assume,

Your current net – 192.168.1.0/24 and gateway/firewall – 192.168.1.1
Now wanna create a separate Lan 192.168.2.0/24 and forward packet through 192.168.1.1 to outside world using a box inside your network.

Choose a box you wanna turn it as router and follow the steps

a) IP setting will be as follows –
eth0 – 192.168.1.15
255.255.255.0
192.168.1.1 (gw)
eth0:0 – 192.168.2.1
255.255.255.0
gw ( leave blank)

b) Then on gw machine ( 192.168.1.1) make sure the followings –

Add a POSTROUTING for 192.168.2.0/24 LAN

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/20 -d ! 192.168.0.0/20 -j SNAT –to-source

[ This will forward and reverse packets from gw 192.168.2.0 network to outside world ]

And add a route for your 192.168.2.0/24 lan –

route add -net 192.168.2.0/24 gw 192.168.1.15

Also make sure your DNS allow query from outside your lan –

allow-query {
192.168.0.0/20;
};

c) Enables packet forwarding by kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

Now you go!! you are done! your 2.0 network will be able to talk to outside world through 192.168.1.15 -> 192.168.1.1

Note: On your client machine ( say 192.168.2.20) use 192.168.2.1 as your default gateway and 192.168.1.1 as nameserver.

If you want to restrict that none from 2.0/24 network can reach anyone of 1.0/24 network – except 1.1 then
add the following rules with your firewall –

iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -p all -j REJECT -o eth0
[ This will block all traffic of 1.0/24 lan from 2.0/24 lan ]

iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.1 -p all -j ACCEPT -o eth0
[ only allow traffic for gw ]

iptables – port forwarding

January 30, 2010

My linux gateway server is the only one visible to the internet, while all other machines are in an internal subnet not visible to the outside internet, but can access the outside net using Iptables based Network Address Translation (NAT).

In this setup if I want to run a public service like httpd, not on the gateway server ( where it is visible to outside ) but on an internal machine ( which is not visible outside ) how do I make it available to the outside internet.To make the above scenario of exposing and internal machine’s service to outside we need to use port forwarding on the gateway server. Which is assigning a port on the gateway to accept all connections and forward it to the internal machines port where the service is listening to.

Let x.x.x.x be the IP address of the gateway server connected to the cable modem and 192.168.0.2 , the IP address of the internal machine. And say we want to run a web server ( httpd ) on 192,168.0.2 on port 80 which should be avaialble to the outside internet. We can forward the port 80 on xxx.xxx.xxx.xxx to port 80 of 192.168.0.2

Source: xxx.xxx.xxx.xxx:80 — forwarded to -> 192.168.0.2:80

Port Forwarding using Iptables
First set the rule,

iptables -t nat -A PREROUTING -p tcp -i eth1 –dst [public IP] –dport 80 -j DNAT –to-destination 192.168.0.2:80

Here
-t, table
-A, Append rule to end of a chain
PREROUTING, a pre-defined “chain” rule available with iptables
-p, protocol
-i, Match “input” interface on which the packet enters
-o, Match “output” interface on which the packet exits
–dst, The flag –dst is an alias for the option -d
–dport, Tcp destination port
-j, Jump to the specified target chain when the packet matches the current rule
DNAT, Valid in POSTROUTING chain. Output
–to-destination, Destination address of packet

To view the rules applied with NAT tables –

iptables -t nat -vnL –line

Now to finally port forwarding –

iptables -I FORWARD 3 -o eth1 -s 192.168.0.2 -j ACCEPT

Here 3 means line number three or rule three on NAT list

To delete an existing rule –

iptables -t nat -D PREROUTING 4

Here, 4 means line number 4 on NAT table.