Massivetechinterview.blogspot.in

Linux iptables

Subscribe to Massivetechinterview.blogspot.in

2016-09-07

http://serverfault.com/questions/631462/port-forwarding-with-iptables-connection-refused

The configuration works as is but not for local requests. So if some other host in the network (e.g. from 10.42.42.15) tries to connect, everything should work as expected.

For connections from localhost I found http://unix.stackexchange.com/a/113651

Just add:

http://www.systutorials.com/816/port-forwarding-using-iptables/

http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables
When a packet passes through Iptables, it passes a set of chains. Decisions made by those chains are called rules and that’s basically how you configure Iptables.

Overview of the chains used by Iptables

For our setup to work, we need to add a DNAT and SNAT rule (Prerouting and Postrouting). The first one will make sure that the packet gets routed to the other host (ip: 10.2.2.2) and the second one will make sure that the source address of the packet is no longer the original one but the one of the machine who performed the NAT. That way, the packet will be sent back to it’s original source via the host which owns ip 10.1.1.1.

To check if IP forwarding is enabled:

sudo sed -i 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/g' /etc/sysctl.conf

To activate the changes immediately:

sysctl -p

The next thing to do is to check if Iptables is running on the system. Iptables is running as a kernel module so it can’t be seen as one of the normal processes.

lsmod|grep iptable

If there is no output, it means that Iptables isn’t loaded.

iptables -t nat -L -n

iptables -t nat -F

Now, to forward port 9999 on host 192.168.202.103 to port 80 on host 192.168.202.105, we need to add the following rules to the iptables configuration of host 192.168.202.103:
iptables -t nat -A PREROUTING -p tcp --dport 9999 -j DNAT --to-destination 192.168.202.105:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.202.105 --dport 80 -j SNAT --to-source 192.168.202.103
iptables -t nat -L -n

To permanently save the rules, execute iptables-save
https://www.digitalocean.com/community/tutorials/how-to-forward-ports-through-a-linux-gateway-with-iptables
ip -4 addr show scope global

The highlighted output above shows two interfaces (eth0 and eth1) and the addresses assigned to each (192.51.100.45 and 192.168.1.5 respectively). To find out which of these interfaces is your public interface, type:

We want to configure our firewall so that traffic flowing into our public interface (eth0) on port 80 will be forwarded to our private interface (eth1).

iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -m conntrack --ctstate NEW -j ACCEPT

This will let the first packet, meant to establish a connection, through the firewall. We also need to allow any subsequent traffic in both directions that results from that connection. To allow ESTABLISHED and RLEATED traffic between our public and private interfaces, type:

We can double check that our policy on the FORWARD chain is set to DROP by typing:

https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
iptables -S

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -S option. For example, to show all of the rule specifications in the TCP chain, you would run this command:

To output all of the active iptables rules in a table, run the iptables command with the -L option:

iptables -L INPUT
iptables -L INPUT -v

Flush All Chains

To flush all chains, which will delete all of the firewall rules, you may use the -F, or the equivalent --flush, option by itself:

http://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html

Linux iptables Pocket Reference

Netfilter, and iptables is the command used to configure it.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080

-t nat

Operate on the nat table...

-A PREROUTING

... by appending the following rule to its PREROUTING chain.

-i eth1

Match packets coming in on the eth1 network interface...

-p tcp

... that use the tcp (TCP/IP) protocol

--dport 80

... and are intended for local port 80.

-j DNAT

Jump to the DNAT target...

--to-destination 192.168.1.3:8080

... and change the destination address to 192.168.1.3 and destination port to 8080.

iptables defines five "hook points" in the kernel's packet processing pathways: PREROUTING, INPUT, FORWARD, POSTROUTING and OUTPUT.

FORWARD

... that flow through a gateway computer, coming in one interface and going right back out another.

INPUT

... just before they are delivered to a local process.

OUTPUT

... just after they are generated by a local process.

POSTROUTING

... just before they leave a network interface.

PREROUTING

... just as they arrive from a network interface (after dropping any packets resulting from the interface being in promiscuous mode and after checksum validation).

iptables comes with three built-in tables: filter, mangle, and nat. Each is preconfigured with chains corresponding to one or more of the hook points. The default table is the filter table;

nat

Used with connection tracking to redirect connections for network address translation; typically based on source or destination addresses. Its built-in chains are: OUTPUT, POSTROUTING, and PREROUTING.

filter

Used to set policies for the type of traffic allowed into, through, and out of the computer. Unless you refer to a different table explicitly, iptables operate on chains within this table by default. Its built-in chains are: FORWARD, INPUT, and OUTPUT.

/etc/sysconfig/iptables

chkconfig --list iptables

You can enable iptables for runlevels 3, 4, and 5 by running the command:

chkconfig --levels 345 iptables on

service iptables start

service iptables stop

iptables -L -v

Source NAT (SNAT) is used to share a single Internet connection among computers on a network. The computer attached to the Internet acts as a gateway and uses SNAT (along with connection tracking) to rewrite packets for connections between the Internet and the internal network.

Since SNAT entails modifying the source addresses and/or ports of packets just before they leave the kernel, it is performed through the POSTROUTING chain of the nat table.

iptables -t nat -A POSTROUTING -o eth1 -j SNAT

Destination NAT (DNAT) exposes specific services on an internal network to the outside world without linking the internal computers directly to the Internet. The gateway computer redirects connections to the specified ports to the designated internal computers and ports and arranges for return traffic to go back to the original address outside the network.

Since DNAT entails modifying the destination addresses and/or ports of packets just before they are either routed to local processes or forwarded to other computers, it is performed through the PREROUTING chain of the nat table.

For example, to forward inbound connections coming in on a gateway's port 80 (HTTP) to an internal web server running on port 8080 of 192.168.1.3, you could use a rule like this:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80

-j DNAT --to-destination 192.168.1.3:8080

Transparent Proxying

If you have an HTTP proxy (such as Squid) configured to run as a transparent proxy on your firewall computer and listen on port 8888, you can add one rule to redirect outbound HTTP traffic to the HTTP proxy:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80

-j REDIRECT --to-port 8888

http://www.linuxhorizon.ro/ssh-tunnel.html