Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
NAT server via iptables + port forward via proxy
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Sat Oct 06, 2018 8:56 am    Post subject: NAT server via iptables + port forward via proxy Reply with quote

Good day!
I need to route single port (say 2222) over proxy (will try rinetd, if not - then shadowsock or haproxy). All other traffic should be routed over typical NAT server.

The serves setup is as follow:
WAN side: eth1 192.168.8.11
LAN side: br0 192.168.10.1 (br0 has been made to be able to start wlan0 in the access point mode by using hostapd)
The NAT server does not require any super security, so I was trying to make simple NAT via netfilter/iptables
Code:
pi64 /etc # iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
pi64 /etc # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT
pi64 /etc # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT
pi64 /etc # iptables -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11
iptables: No chain/target/match by that name.

Since I feels like zero in iptables, I can't deal with this error :oops: and asking for help.
Further, port 2222 should be redirected by proxy, and NOT by the NAT, but I'm unsure how to exclude port 2222 from the NAT and forward it to the local proxy.

Thank you.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12939

PostPosted: Sat Oct 06, 2018 4:31 pm    Post subject: Reply with quote

POSTROUTING is in the nat table, not the filter table. You did not specify -t table, so the default is filter. Add -t nat to your iptables command.

If that still does not work, you might be missing support for the SNAT target. It is governed by the Kconfig symbol NETFILTER_XT_NAT.

For user-space interception, you want the REDIRECT target. That requires the Kconfig symbol NETFILTER_XT_TARGET_REDIRECT.
Back to top
View user's profile Send private message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Sun Oct 07, 2018 7:30 am    Post subject: Reply with quote

Okay, so
Code:
pi64 ~ # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT
pi64 ~ # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT
pi64 ~ # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11
pi64 ~ # iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  192.168.10.0/24      0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.10.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
pi64 ~ #


in the /usr/src/linux/.config I have
NETFILTER_XT_NAT=m
NETFILTER_XT_TARGET_REDIRECT=m

After this I'm still unable to access the internet from the windows machine, which is connected to the br0, but it is able to ping both eth1 192.168.8.11 (WAN side) and br0 192.168.10.1 (LAN side) from the windows machine.
Code:
c:\>ipconfig

Windows IP Configuration


Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::99e2:3d5:70d1:bcae%4
   IPv4 Address. . . . . . . . . . . : 192.168.10.93
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1

c:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
c:\>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=4ms TTL=64
Reply from 192.168.10.1: bytes=32 time=4ms TTL=64

Ping statistics for 192.168.10.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C
c:\>ping 192.168.8.11

Pinging 192.168.8.11 with 32 bytes of data:
Reply from 192.168.8.11: bytes=32 time=4ms TTL=64
Reply from 192.168.8.11: bytes=32 time=5ms TTL=64
Reply from 192.168.8.11: bytes=32 time=4ms TTL=64

Ping statistics for 192.168.8.11:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 4ms, Maximum = 5ms, Average = 4ms
Control-C
^C
c:\>
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12939

PostPosted: Sun Oct 07, 2018 4:26 pm    Post subject: Reply with quote

Have you enabled IPv4 forwarding? If that is not enabled, the contents of the FORWARD chain are irrelevant.

cat /proc/sys/net/ipv4/ip_forward should show 1.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5716

PostPosted: Mon Oct 08, 2018 5:53 am    Post subject: Reply with quote

I believe you're missing the masquerade rule for outgoing traffic.
_________________
overlay | patches
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.
Back to top
View user's profile Send private message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Mon Oct 08, 2018 3:48 pm    Post subject: Reply with quote

Hu wrote:
Have you enabled IPv4 forwarding? If that is not enabled, the contents of the FORWARD chain are irrelevant.

cat /proc/sys/net/ipv4/ip_forward should show 1.

I have to enable it like this?
Code:
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1


bunder wrote:
I believe you're missing the masquerade rule for outgoing traffic.

Like this ?
# iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT
# iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11
# iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

However, this tutorial https://www.howtoforge.com/nat_iptables requires only two steps :?:
Code:
iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
#enabling IPv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
service iptables restart
but first two strings like in my config does not exist there :roll:
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3485
Location: Dallas area

PostPosted: Mon Oct 08, 2018 3:53 pm    Post subject: Reply with quote

orion777 wrote:
Hu wrote:
Have you enabled IPv4 forwarding? If that is not enabled, the contents of the FORWARD chain are irrelevant.

cat /proc/sys/net/ipv4/ip_forward should show 1.

I have to enable it like this?
Code:
# nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1



That works on reboot, but on the fly you could do "echo 1 > /proc/sys/net/ipv4/ip_forward" to achieve the same thing (be root to do the echo), etc
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12939

PostPosted: Tue Oct 09, 2018 1:39 am    Post subject: Reply with quote

bunder wrote:
I believe you're missing the masquerade rule for outgoing traffic.
From:
man iptables-extensions:
   MASQUERADE
       This target is only valid in the nat table, in the  POSTROUTING  chain.
       It  should  only  be used with dynamically assigned IP (dialup) connec‐
       tions: if you have a static IP address, you should use the SNAT target.
In this case, his use of SNAT looks correct, and serves as a substitute for using MASQUERADE.
Back to top
View user's profile Send private message
orion777
Apprentice
Apprentice


Joined: 15 Mar 2017
Posts: 163
Location: Riga, Latvia

PostPosted: Tue Oct 09, 2018 4:59 pm    Post subject: Reply with quote

Code:

pi64 ~ # cat /proc/sys/net/ipv4/ip_forward
0
pi64 ~ # echo 1 > /proc/sys/net/ipv4/ip_forward
pi64 ~ # cat /proc/sys/net/ipv4/ip_forward
1
pi64 ~ # iptables -A FORWARD -i br0 -o eth1 -s 192.168.10.0/24 -j ACCEPT
pi64 ~ # iptables -A FORWARD -i eth1 -o br0 -d 192.168.10.0/24 -j ACCEPT
pi64 ~ # iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 192.168.8.11


And now I post this message from the windows xp machine, connected over raspberry with gentoo!!! Thanks a lot!!!!

Finally, I have to do iptables-save and /etc/sysctl.conf Add/Uncomment the following lines: net.ipv4.ip_forward = 1 vs net.ipv4.conf.default.rp_filter = 1, okay!

But one more question: if I will run some kind of proxy on the server (for example - rinetd) and put them to listen port, say, 2222, will it be able to listen or netfilter will route 2222 port into the wan? I'm asking here because I forgot my laptop for testings (
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 12939

PostPosted: Wed Oct 10, 2018 1:06 am    Post subject: Reply with quote

Netfilter does not prevent local processes from listening. With the right configuration, it can make their listening socket irrelevant by directing traffic away from the listener. Earlier in the thread, you discussed redirecting traffic and I recommended the REDIRECT target. You have never shown rules that use it. Without a REDIRECT target, the system will not intercept traffic crossing it. Every packet attempting to traverse the system will be either forwarded or dropped, depending on your netfilter configuration, but none will be redirected to the local system.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum