Routing
Contents |
The Linux `route` command
Below is a list of useful commands
# show the routing table, with numeric addresses route -n # add a default route, through eth0, via 192.168.1.1 route add default dev eth0 gw 192.168.1.1 # add a route to 10.150.0.0/24 through eth0 route add -net 10.150.0.0/24 dev eth0 # add a route to 10.150.0.0/24 through eth0, and the gateway 192.168.0.15 route add -net 10.150.0.0/24 gw 192.168.0.15 dev eth0
SIOCADDRT: No such process
The most unhelpful error possible. It generally means you have done something silly... check:
- Your addresses - e.g. is the gateway you specified actually directly accessible through the interface?
The Linux `iptables` command
# list the current rules (not very useful without -v) iptables -vL # list the current rules in the NAT table iptables -t nat -vL
NAT
Setup
To setup NAT between interfaces eth0 (outside) and tun0 (inside - e.g. a VPN server)
INSIDE=tun0 OUTSIDE=eth0 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ${OUTSIDE} -j MASQUERADE iptables -A FORWARD -i ${OUTSIDE} -o ${INSIDE} -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i ${INSIDE} -o ${OUTSIDE} -j ACCEPT
Port Forwarding
EXTERNAL_PORT=230 INTERNAL_HOST=192.168.0.4 INTERNAL_PORT=23 iptables -t nat -A PREROUTING -i ${OUTSIDE} -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${INTERNAL_HOST}:${INTERNAL_PORT}
Port Forwarding 2
This is possibly an unexpected use of port forwarding.
Here, we are inside a restrictive network that permits internet-bound traffic on port 80, but not 22.
The network's internet-side IP is ${EXT_IP}
iptables -t nat -A PREROUTING -p tcp --dport 80 -s ${EXT_IP} -j REDIRECT --to-port 22
After running this, we can connect to our SSH server using port 80. Any attempt to access the web server from this network will fail, but others will be blissfully unaware!
'Proxying'
This is untested, but should allow access to ${SOME_HOST} on ${SOME_PORT} via your server, on port ${MY_PORT}
iptables -t nat -A PREROUTING -p tcp --dport ${MY_PORT} -j DNAT --to-destination ${SOME_HOST}:${SOME_PORT} iptables -t nat -A POSTROUTING -p tcp --dport 110 -j MASQUERADE
'Proxying' 2
Again, this is untested, but should allow access to ${SOME_HOST} when in fact you were trying to talk to ${REAL_HOST}
iptables -t nat -A PREROUTING -d ${REAL_HOST} -j DNAT --to-destination ${SOME_HOST} iptables -t nat -A POSTROUTING -s ${SOME_HOST} -j SNAT --to-source ${REAL_HOST}
Teardown
# remove the first item in the 'FORWARD' table, twice - you added two (forward & reverse) iptables -D FORWARD 1 iptables -D FORWARD 1 iptables -t nat -D POSTROUTING 1
Prevent Linux from responding to its other addresses
When you have a Linux machine setup with two interfaces, it's possible to communicate with it, from either interface, using either address, even if ip_forward
is set to 0
.
To prevent this, you have to specifically tell the system to drop messages that are received unless they are sent to the suitable address.
Here's an example:
ifconfig eth0 up 192.168.0.1/24 iptables -I INPUT -i eth0 ! -d 192.168.0.0/24 -j DROP ifconfig eth1 up 192.168.1.1/24 iptables -I INPUT -i eth1 ! -d 192.168.1.0/24 -j DROP