You are not logged in.

#1 2012-10-29 03:03:12

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

[SOLVED] "Passive" iptables based "router"?

Hello everyone, I was just curious if anyone knows how to forward all traffic to an internal IP address. I'm kinda following the rules over at https://wiki.archlinux.org/index.php/Si … AT_gateway . but I'm not entirely sure how to make it so all incoming requests go to a certain ip.

My logical setup:

ISP --> (DHCP) archlinux "router" (172.16.3.0/31) --> (172.16.3.1/31) Router (192.168.3.1/24) --> (192.168.3.0/24 network)

iptables rules (so far):

# Generated by iptables-save v1.4.15 on Sun Oct 28 22:11:35 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [27:2876]
:fw-interfaces - [0:0]
:fw-open - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j DROP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j fw-interfaces
-A fw-interfaces -i lan0 -j ACCEPT
-A FORWARD -j fw-open
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
COMMIT
# Completed on Sun Oct 28 22:11:35 2012

If you need anymore info, feel free to ask. Hope I wasn't too confusing :S.


Edit: Working iptables script

#!/bin/bash

ipt="/usr/sbin/iptables"
LAN_IFACE="lan0"
WAN_IFACE="wan0"
INET="172.16.3.0/31"
ME="172.16.3.0/32"
ROUTER="172.16.3.1/32"

INTERNET_IP=`curl icanhazip.com`

$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t nat -X
$ipt -t mangle -X

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P INPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

$ipt -N fw-interfaces
$ipt -N fw-open

$ipt -A INPUT -i lo -j ACCEPT

$ipt -t nat -A POSTROUTING -s $INET -o $WAN_IFACE -j MASQUERADE

$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -j fw-interfaces
$ipt -A FORWARD -j fw-open
$ipt -A fw-interfaces -i lan0 -j ACCEPT
$ipt -A fw-open -d $ROUTER -j ACCEPT
$ipt -A fw-open -i lan0 -d 8.8.8.8/32 -j ACCEPT
$ipt -t nat -A PREROUTING -i wan0 -j DNAT --to-destination 172.16.3.1

$ipt -A INPUT -p tcp -i $LAN_IFACE -s $INET -d $ME --dport 80 -j ACCEPT
$ipt -A INPUT -p udp -i $LAN_IFACE -s $INET --dport 53 -j ACCEPT
$ipt -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$ipt -A INPUT -p udp --dport 67 -j ACCEPT

$ipt -A INPUT -p tcp -i $LAN_IFACE --dport 32 -j ACCEPT

$ipt -A INPUT -p icmp --icmp-type echo-request -j REJECT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$ipt -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT


$ipt -A PREROUTING -t nat -p tcp -i $LAN_IFACE -s $INET -d $INTERNET_IP --dport 80 -j DNAT --to-destination 172.16.3.1:80
$ipt -A PREROUTING -t nat -p tcp -i $LAN_IFACE -s $INET -d $INTERNET_IP -j DNAT --to-destination 172.16.3.1
$ipt -A POSTROUTING -t nat -p tcp -s $INET -o $LAN_IFACE -d $ROUTER --dport 80 -j SNAT --to $INTERNET_IP

Last edited by frostyfrog (2013-01-19 21:13:04)


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

#2 2012-10-29 03:33:27

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: [SOLVED] "Passive" iptables based "router"?

Just a though, maybe you shouldn't post your ip address while simutaneously stating that you are doing work on your firewall...

Offline

#3 2012-10-29 03:53:34

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

Re: [SOLVED] "Passive" iptables based "router"?

That's why I didn't post my real internal IPs, and I stated my external IP was DHCP. wink I'll see if my little brain can come up with any solutions while I sleep tonight.

*presses meta+L then jumps in bed, hoping to fall into REM sleep quickly*


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

#4 2012-10-29 03:59:37

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,412

Re: [SOLVED] "Passive" iptables based "router"?

Okay, just making sure.  Sorry I don't know enough about iptables to help you out here.  I set up the stateful firewall per the wiki's instructions, and haven't really worried about it since.

Offline

#5 2012-10-29 14:16:30

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,554

Re: [SOLVED] "Passive" iptables based "router"?

Adjust to your liking, two NICs: one connected to the modem (WAN_IFACE), the other one is a wireless AP (WIFI_IFACE). Recheck iptables path, I'm not running this on arch. Make sure you enable packet forwarding (you may as well put it in the script), I use sysctl.conf for that. I actually have more NICs but I tired to replicate your network (one subnet), just cross fingers that I didnt forget or remove anything crucial tongue

#!/bin/sh

# Define variables
ipt="/usr/sbin/iptables"
WIFI_IFACE="wlan0"
WAN_IFACE="ppp0"

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t nat -X
$ipt -t mangle -X

# Default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# Loopback interface
$ipt -A INPUT -i lo -j ACCEPT

# Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

# Enable unrestricted outgoing traffic, incoming
# is restricted to locally-initiated sessions only
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $WIFI_IFACE -o $WAN_IFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Enable internal DHCP and DNS
$ipt -A INPUT -p udp -i $WIFI_IFACE -s 192.168.3.0/24 --dport 53 -j ACCEPT
$ipt -A INPUT -p tcp -i $WIFI_IFACE -s 192.168.3.0/24 --dport 53 -j ACCEPT
$ipt -A INPUT -p udp -i $WIFI_IFACE --dport 67 -j ACCEPT

# Enable internal SSH from laptop (192.168.3.104)
$ipt -A INPUT -p tcp -i $WIFI_IFACE -s 192.168.3.104 --dport XXXXX -j ACCEPT

# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# Reject connection attempts not initiated from inside the LAN
$ipt -A INPUT -p tcp --syn -j DROP

# External SSH to desktop (192.168.3.103)
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --sport 1024:65535 --dport XXXXX -j DNAT --to-destination 192.168.3.103
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $WIFI_IFACE -d 192.168.3.103 --dport XXXXX -j ACCEPT

# bittorrent (bittorrent client running on 192.168.3.103 at port XXXXX)
$ipt -t nat -A PREROUTING -p tcp -i $WAN_IFACE --sport 1024:65535 --dport XXXXX -j DNAT --to-destination 192.168.3.103
$ipt -A FORWARD -p tcp -i $WAN_IFACE -o $WIFI_IFACE -d 192.168.3.103 --dport XXXXX -j ACCEPT

# Log
$ipt -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.

Offline

#6 2012-10-30 08:27:07

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

Re: [SOLVED] "Passive" iptables based "router"?

Modified your script, and so far things appear to be working... Except a few weird issues.

#!/bin/sh

# Define variables
ipt="/usr/sbin/iptables"
WIFI_IFACE="lan0"
WAN_IFACE="ppp0"

# Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t nat -X
$ipt -t mangle -X

# Default policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT

# Loopback interface
$ipt -A INPUT -i lo -j ACCEPT

# Enable IP masquerading
$ipt -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE

# Enable unrestricted outgoing traffic, incoming
# is restricted to locally-initiated sessions only
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $WIFI_IFACE -o $WAN_IFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

# Enable internal DHCP and DNS
$ipt -A INPUT -p udp -i $WIFI_IFACE -s 172.16.0.1/31 --dport 53 -j ACCEPT
$ipt -A INPUT -p tcp -i $WIFI_IFACE -s 172.16.0.1/31 --dport 53 -j ACCEPT
$ipt -A INPUT -p udp -i $WIFI_IFACE --dport 67 -j ACCEPT

# Enable internal SSH from router (172.16.0.1)
$ipt -A INPUT -p tcp -i $WIFI_IFACE --dport 22 -j ACCEPT

# Accept important ICMP messages
$ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

# Reject connection attempts not initiated from inside the LAN
#$ipt -A INPUT -p tcp --syn -j DROP

# External packets to router (172.16.0.1)
$ipt -t nat -A PREROUTING -i $WAN_IFACE -j DNAT --to-destination 172.16.0.1
$ipt -A FORWARD -i $WAN_IFACE -o $WIFI_IFACE -d 172.16.0.1 -j ACCEPT

# Log
$ipt -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

The few issues are, for example in my test environment:
Me pinging a computer in my local network (currently this computers WAN). 172.16.0.1 says 192.168.3.4 isn't responding, when obviously it is.

Oct 30 03:14:46 Darkstatus kernel: [ 4117.526983] FIREWALL:Forward IN=lan0 OUT=wan0 MAC=*snip*  SRC=172.16.0.1 DST=192.168.3.4 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=7872 SEQ=10
Oct 30 03:14:47 Darkstatus kernel: [ 4117.589577] FIREWALL:Forward IN=wan0 OUT=lan0 MAC=*snip* SRC=192.168.3.4 DST=172.16.0.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60222 PROTO=ICMP TYPE=0 CODE=0 ID=7872 SEQ=10

And me attempting a traceroute... It's odd that all of those are asterisks, isn't it?

─> traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
 1  172.16.0.0 (172.16.0.0)  1.248 ms  1.209 ms  1.201 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  google-public-dns-b.google.com (8.8.4.4)  40.658 ms  40.882 ms  40.876 ms

/etc/sysctl.conf:

net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.send_redirects = 1
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0

Thanks for the help so far :D

Last edited by frostyfrog (2012-10-30 08:27:27)


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

#7 2012-10-30 12:31:14

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,554

Re: [SOLVED] "Passive" iptables based "router"?

what about some internal routing, here's what I have:

# Routing
$ipt -A FORWARD -i $WIFI_IFACE -o $DMZ_IFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $WIFI_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.

Offline

#8 2012-10-30 19:09:38

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

Re: [SOLVED] "Passive" iptables based "router"?

Huh, that's weird... Isn't data from the WAN supposed to go through PreRouting and the LAN through PostRouting? Or is it supposed to work like this?

Oct 30 14:02:26 Darkstatus kernel: [ 4324.272055] FIREWALL:POST IN= OUT=lan0 SRC=192.168.3.2 DST=172.16.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30843 DF PROTO=TCP SPT=59400 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

Oct 30 14:03:42 Darkstatus kernel: [ 4401.054052] FIREWALL:POST IN= OUT=lan0 SRC=192.168.3.4 DST=172.16.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10005 DF PROTO=TCP SPT=42729 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

Oct 30 14:04:23 Darkstatus kernel: [ 4441.529732] FIREWALL:PRE IN=lan0 OUT= MAC=*SNIP* SRC=172.16.0.1 DST=192.168.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9544 DF PROTO=TCP SPT=34014 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0

Edit: color! And converted code to quote. Note: all the above we invoked individually, they are seconds off.

Last edited by frostyfrog (2012-10-30 23:14:55)


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

#9 2013-01-19 21:15:52

frostyfrog
Member
From: Utah, USA
Registered: 2011-03-27
Posts: 42

Re: [SOLVED] "Passive" iptables based "router"?

Just wanted to say that I finally figured it out and got it working. It helped to move it into a production environment and to use the following code for NAT Loopback (man, it was tricky finding this)

$ipt -A PREROUTING -t nat -p tcp -i $LAN_IFACE -s $INET -d $INTERNET_IP --dport 80 -j DNAT --to-destination 172.16.3.1:80
$ipt -A POSTROUTING -t nat -p tcp -s $INET -o $LAN_IFACE -d $ROUTER --dport 80 -j SNAT --to $INTERNET_IP

I think it's possible to remove the port 80 and have it affect all ports, but I have yet to test it out yet.

Also, marked as SOLVED.

Edit: wait... it was in a production environment before >.<

Last edited by frostyfrog (2013-01-19 22:00:55)


{arch32} {subtlewm}{Acer Aspire One AO532h}
{arch64} {Headless Server}
Grrr! 400 char limit sad

Offline

Board footer

Powered by FluxBB