IPTables will be documented here.
connmark and mark are different. ip rule only looks at mark, so you have to use something like -j CONNMARK --restore-mark or --match connmark --mark 2/2 -j MARK --set-mark 2 to set the packet mark
--set-mark in CONNMARK and MARK erase previous marks.
ip rule show lists packets in order or priority, higher on the list (lower number) is bigger priority. Use ip rule add ... priority N to set priority.
FTP on fedora core 4
The following gives a quick-fix for connecting to an active ftp when the client is behind a firewall. This was done on a fedora core 4 system, but hopefully it's general enough to be easily done on other distros.
Problem: The client connects to the ftp with no problem, but when any actions are attempted, such as listing direcotories with ls, the connection hangs. The problem lies in the fact that in active ftp mode, the client's machine tells the ftp server a port on which it is listening (this will be a high port). The server then tries to connect to said port. However, the client's firewall blocks the incoming connection.
Solution: The remedy here is to open all high ports. From a security standpoint this is probably a bad idea, but I'm not all that concerned since the machine won't be listening on any of the ports except the one related to the ftp. One can use netstat -ta to see which ports are listening for tcp. In this case, it turned out to be only on ports > 30000, so we'll open those in IPTables.
Open all tcp ports > 30000 (on fedora core system):
/sbin/iptables --insert RH-Firewall-1-INPUT 1 --protocol tcp --destination-port 30000:65535 -j ACCEPT
That's it for now, but I'll likely come back and add a more secure fix to the problem when I have time.
Bridging interfaces and forwarding
This is essentially a step-by-step guide to setting up forwarding with openvpn over the tap0 device.
sudo openvpn --mktun --dev tap0 sudo brctl addbr br0 sudo brctl addif br0 tap0 sudo ifconfig br0 10.20.30.1 netmask 255.255.255.0 sudo ifconfig tap0 10.20.30.1 netmask 255.255.255.0 sudo sysctl net.ipv4.ip_forward=1 sudo iptables -A POSTROUTING -t nat --match iprange --src-range 10.20.30.15-10.20.30.19 -j SNAT --to-source 220.127.116.11 # this is better if you don't want to manually change the --to-source IP sudo iptables -A POSTROUTING -t nat --match iprange --src-range 10.20.30.15-10.20.30.19 -j MASQUERADE sudo iptables -P FORWARD DROP sudo iptables -A FORWARD --match iprange --src-range 10.20.30.15-10.20.30.19 -i br0 -j ACCEPT sudo iptables -A FORWARD --match state --state RELATED,ESTABLISHED --match iprange --dst-range 10.20.30.15-10.20.30.19 -o br0 -j ACCEPT ## ##sudo modprobe ip_conntrack_ftp # forward incoming on port 123 to port 53, which the server is really listening on. sudo iptables -t nat -A PREROUTING --proto udp --dport 123 -j DNAT --to-destination :53
- give the tap device an ip, even if it isn't using it. If pinging doesn't work, re-ifconfig the tap, then the bridge.
- ifup tap0
Simple NAT Script
Here is a script that I found on the internets. It makes the current machine run as a gateway for the other computers on the eth1 network while sending and receiving traffic to/from the internet on eth0.
IPTABLES=/sbin/iptables EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Port Forwarding in a NAT
# Forward an outside connection to an internal system:
iptables -A FORWARD -p tcp --dest 10.20.30.15 --dport 8082 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to-destination 10.20.30.15:8082
# First, tell it to do the DNAT on incoming connections. This forwards _incoming_ connections sudo iptables -A PREROUTING -t nat --protocol tcp -i eth0 --dport 8081 -j DNAT --to-destination 10.20.30.15:8080 # These lines forward _outgoing_ connections. # Allow return packets of outgoing connections: sudo iptables -A FORWARD --protocol tcp --match state --state RELATED,ESTABLISHED --source-port 8080 -j ACCEPT # this last one may not make sense. But the general idea is that the # NAT is done _before_ the forward chain sees it. sudo iptables -A FORWARD --protocol tcp --destination 10.20.30.15 --destination-port 8080 -j ACCEPT
differential routing based on packet source
sudo iptables -A INPUT -t mangle -i tap0 -j CONNMARK --set-mark 2 # Alternatively, you could do: # sudo iptables -A INPUT -t mangle --match mac --mac-source 00:ff:c2:e9:94:5c -j CONNMARK --set-mark 2 sudo iptables -A OUTPUT -t mangle --match connmark --mark 2/2 -j CONNMARK --restore-mark sudo ip rule add from all fwmark 2 table 2 sudo ip route add 192.168.100.0/24 dev eth0 table 2 sudo ip route add 18.104.22.168 via 192.168.100.1 table 2 sudo ip route add default via 10.20.30.1 table 2
transparent redirection of certain internet traffic: http://www.ex-parrot.com/~pete/upside-down-ternet.html