Routing
From Attie's Wiki
(Difference between revisions)
m (→Port Forwarding) |
m (→NAT) |
||
| Line 45: | Line 45: | ||
iptables -t nat -A PREROUTING -i ${OUTSIDE} -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${INTERNAL_HOST}:${INTERNAL_PORT} | iptables -t nat -A PREROUTING -i ${OUTSIDE} -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${INTERNAL_HOST}:${INTERNAL_PORT} | ||
</source> | </source> | ||
| + | |||
| + | ===Port Forwarding=== | ||
| + | This is possibly an unexpected use of port forwarding. | ||
| + | Here, we are inside a restrictive network that permits internet-bound traffic on port 80, but not 22. | ||
| + | The network's internet-side IP is <code>${EXT_IP}</code> | ||
| + | <source lang="bash"> | ||
| + | iptables -t nat -A PREROUTING -p tcp --dport 80 -s ${EXT_IP} -j REDIRECT --to-port 22 | ||
| + | </source> | ||
| + | After running this, we can connect to our SSH server using port 80. | ||
| + | Any attempt to access the web server from this network will fail, but others will be blissfully unaware! | ||
===Teardown=== | ===Teardown=== | ||
Revision as of 16:16, 26 March 2014
Contents |
The Linux `route` command
Below is a list of useful commands
# show the routing table, with numeric addresses route -n # add a default route, through eth0, via 192.168.1.1 route add default dev eth0 gw 192.168.1.1 # add a route to 10.150.0.0/24 through eth0 route add -net 10.150.0.0/24 dev eth0 # add a route to 10.150.0.0/24 through eth0, and the gateway 192.168.0.15 route add -net 10.150.0.0/24 gw 192.168.0.15 dev eth0
SIOCADDRT: No such process
The most unhelpful error possible. It generally means you have done something silly... check:
- Your addresses - e.g. is the gateway you specified actually directly accessible through the interface?
The Linux `iptables` command
# list the current rules (not very useful without -v) iptables -vL # list the current rules in the NAT table iptables -t nat -vL
NAT
Setup
To setup NAT between interfaces eth0 (outside) and tun0 (inside - e.g. a VPN server)
INSIDE=tun0 OUTSIDE=eth0 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ${OUTSIDE} -j MASQUERADE iptables -A FORWARD -i ${OUTSIDE} -o ${INSIDE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ${INSIDE} -o ${OUTSIDE} -j ACCEPT
Port Forwarding
EXTERNAL_PORT=230 INTERNAL_HOST=192.168.0.4 INTERNAL_PORT=23 iptables -t nat -A PREROUTING -i ${OUTSIDE} -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${INTERNAL_HOST}:${INTERNAL_PORT}
Port Forwarding
This is possibly an unexpected use of port forwarding.
Here, we are inside a restrictive network that permits internet-bound traffic on port 80, but not 22.
The network's internet-side IP is ${EXT_IP}
iptables -t nat -A PREROUTING -p tcp --dport 80 -s ${EXT_IP} -j REDIRECT --to-port 22
After running this, we can connect to our SSH server using port 80. Any attempt to access the web server from this network will fail, but others will be blissfully unaware!
Teardown
# remove the first item in the 'FORWARD' table, twice - you added two (forward & reverse) iptables -D FORWARD 1 iptables -D FORWARD 1 iptables -t nat -D POSTROUTING 1
