IPTables will be documented here.

random notes

FTP on fedora core 4

The following gives a quick-fix for connecting to an active ftp when the client is behind a firewall. This was done on a fedora core 4 system, but hopefully it's general enough to be easily done on other distros.

Problem: The client connects to the ftp with no problem, but when any actions are attempted, such as listing direcotories with ls, the connection hangs. The problem lies in the fact that in active ftp mode, the client's machine tells the ftp server a port on which it is listening (this will be a high port). The server then tries to connect to said port. However, the client's firewall blocks the incoming connection.

Solution: The remedy here is to open all high ports. From a security standpoint this is probably a bad idea, but I'm not all that concerned since the machine won't be listening on any of the ports except the one related to the ftp. One can use netstat -ta to see which ports are listening for tcp. In this case, it turned out to be only on ports > 30000, so we'll open those in IPTables.

Open all tcp ports > 30000 (on fedora core system):

/sbin/iptables --insert RH-Firewall-1-INPUT 1 --protocol tcp --destination-port 30000:65535 -j ACCEPT

That's it for now, but I'll likely come back and add a more secure fix to the problem when I have time.

Bridging interfaces and forwarding

This is essentially a step-by-step guide to setting up forwarding with openvpn over the tap0 device.

sudo openvpn --mktun --dev tap0
sudo brctl addbr br0
sudo brctl addif br0 tap0
sudo ifconfig br0 10.20.30.1 netmask 255.255.255.0
sudo ifconfig tap0 10.20.30.1 netmask 255.255.255.0

sudo sysctl net.ipv4.ip_forward=1

sudo iptables -A POSTROUTING -t nat --match iprange --src-range 10.20.30.15-10.20.30.19 -j SNAT --to-source 146.6.143.225
# this is better if you don't want to manually change the --to-source IP
sudo iptables -A POSTROUTING -t nat --match iprange --src-range 10.20.30.15-10.20.30.19 -j MASQUERADE

sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD --match iprange --src-range 10.20.30.15-10.20.30.19 -i br0 -j ACCEPT
sudo iptables -A FORWARD --match state --state RELATED,ESTABLISHED --match iprange --dst-range 10.20.30.15-10.20.30.19 -o br0 -j ACCEPT
##
##sudo modprobe ip_conntrack_ftp

# forward incoming on port 123 to port 53, which the server is really listening on.
sudo iptables -t nat -A PREROUTING --proto udp --dport 123 -j DNAT --to-destination :53

Hints:

Simple NAT Script

Here is a script that I found on the internets. It makes the current machine run as a gateway for the other computers on the eth1 network while sending and receiving traffic to/from the internet on eth0.

IPTABLES=/sbin/iptables

EXTIF="eth0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

Port Forwarding in a NAT

# Forward an outside connection to an internal system:

iptables -A FORWARD -p tcp --dest 10.20.30.15 --dport 8082 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to-destination 10.20.30.15:8082

# First, tell it to do the DNAT on incoming connections.  This forwards _incoming_ connections
sudo iptables -A PREROUTING -t nat --protocol tcp -i eth0 --dport 8081 -j DNAT --to-destination 10.20.30.15:8080

# These lines forward _outgoing_ connections.
# Allow return packets of outgoing connections:
sudo iptables -A FORWARD --protocol tcp --match state --state RELATED,ESTABLISHED --source-port 8080 -j ACCEPT
# this last one may not make sense.  But the general idea is that the 
# NAT is done _before_ the forward chain sees it.
sudo iptables -A FORWARD --protocol tcp --destination 10.20.30.15 --destination-port 8080 -j ACCEPT

differential routing based on packet source

sudo iptables -A INPUT -t mangle -i tap0 -j CONNMARK --set-mark 2
# Alternatively, you could do: 
#  sudo iptables -A INPUT -t mangle --match mac --mac-source 00:ff:c2:e9:94:5c -j CONNMARK --set-mark 2
sudo iptables -A OUTPUT -t mangle --match connmark --mark 2/2 -j CONNMARK --restore-mark

sudo ip rule add from all fwmark 2 table 2
sudo ip route add 192.168.100.0/24 dev eth0 table 2
sudo ip route add 128.59.74.2 via 192.168.100.1 table 2
sudo ip route add default via 10.20.30.1 table 2

fun

transparent redirection of certain internet traffic: http://www.ex-parrot.com/~pete/upside-down-ternet.html

DebianNotes/IPTables (last edited 2010-05-16 19:33:06 by noway)