Routing

From Attie's Wiki
Revision as of 16:05, 16 December 2015 by Attie (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

The Linux `route` command

Below is a list of useful commands

# show the routing table, with numeric addresses
route -n
# add a default route, through eth0, via 192.168.1.1
route add default dev eth0 gw 192.168.1.1
# add a route to 10.150.0.0/24 through eth0
route add -net 10.150.0.0/24 dev eth0
# add a route to 10.150.0.0/24 through eth0, and the gateway 192.168.0.15
route add -net 10.150.0.0/24 gw 192.168.0.15 dev eth0

SIOCADDRT: No such process

The most unhelpful error possible. It generally means you have done something silly... check:

  • Your addresses - e.g. is the gateway you specified actually directly accessible through the interface?

The Linux `iptables` command

# list the current rules (not very useful without -v)
iptables -vL
 
# list the current rules in the NAT table
iptables -t nat -vL

NAT

Setup

To setup NAT between interfaces eth0 (outside) and tun0 (inside - e.g. a VPN server)

INSIDE=tun0
OUTSIDE=eth0
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o ${OUTSIDE} -j MASQUERADE
iptables -A FORWARD -i ${OUTSIDE} -o ${INSIDE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${INSIDE} -o ${OUTSIDE} -j ACCEPT

Port Forwarding

EXTERNAL_PORT=230
INTERNAL_HOST=192.168.0.4
INTERNAL_PORT=23
iptables -t nat -A PREROUTING -i ${OUTSIDE} -p tcp --dport ${EXTERNAL_PORT} -j DNAT --to ${INTERNAL_HOST}:${INTERNAL_PORT}

Port Forwarding 2

This is possibly an unexpected use of port forwarding. Here, we are inside a restrictive network that permits internet-bound traffic on port 80, but not 22. The network's internet-side IP is ${EXT_IP}

iptables -t nat -A PREROUTING -p tcp --dport 80 -s ${EXT_IP} -j REDIRECT --to-port 22

After running this, we can connect to our SSH server using port 80. Any attempt to access the web server from this network will fail, but others will be blissfully unaware!

'Proxying'

This will allow access to ${SOME_HOST} on ${SOME_PORT} via your server, ${MY_HOST} on ${MY_PORT}

iptables -t nat -A PREROUTING -p tcp -d ${SOME_HOST} --dport ${SOME_PORT} -j DNAT --to-destination ${MY_HOST}:${MY_PORT}
iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE

'Proxying' 2

Again, this is untested, but should allow access to ${SOME_HOST} when in fact you were trying to talk to ${REAL_HOST}

iptables -t nat -A PREROUTING -d ${REAL_HOST} -j DNAT --to-destination ${SOME_HOST}
iptables -t nat -A POSTROUTING -s ${SOME_HOST} -j SNAT --to-source ${REAL_HOST}

Teardown

# remove the first item in the 'FORWARD' table, twice - you added two (forward & reverse)
iptables -D FORWARD 1
iptables -D FORWARD 1
iptables -t nat -D POSTROUTING 1

Prevent Linux from responding to its other addresses

When you have a Linux machine setup with two interfaces, it's possible to communicate with it, from either interface, using either address, even if ip_forward is set to 0. This is because Linux uses a Weak Host Model. To prevent this, behavior you have to specifically tell the system to drop messages that are received unless they are sent to the suitable address.

Here's an example that will configure the system like a home 'router', with port 22 (SSH) forwarded to 192.168.1.1

INSIDE=eth0
INSIDE_IP=192.168.1.1
INSIDE_NET=192.168.1.0
INSIDE_MASK=24
 
OUTSIDE=eth1
OUTSIDE_IP=100.64.0.1
OUTSIDE_NET=100.64.0.0
OUTSIDE_MASK=24
# flush any existing rules
iptables -F
iptables -t nat -F
 
# setup some reasonable defaults
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
 
# setup the interfaces
ifconfig ${OUTSIDE} up ${OUTSIDE_IP}/${OUTSIDE_MASK}
ifconfig ${INSIDE} up ${INSIDE_IP}/${INSIDE_MASK}
 
# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
 
# setup NATing
iptables -t nat -A POSTROUTING -o ${OUTSIDE} -j MASQUERADE
iptables -A FORWARD -i ${OUTSIDE} -o ${INSIDE} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${INSIDE} -o ${OUTSIDE} -j ACCEPT
 
# allow the internal people to get out
iptables -I INPUT -i ${INSIDE} -s ${INSIDE_NET}/${INSIDE_MASK} -j ACCEPT
 
# allow the external people to get to US ONLY
iptables -I INPUT -i ${OUTSIDE} -d ${OUTSIDE_IP} -j ACCEPT

Basic

Alternatively, if you're just after the ability to prevent this cross-interface communication, then use this (yes, you could invert the DROP/ACCEPT to achieve the same result)

ifconfig eth0 up 192.168.0.1/24
iptables -I INPUT -i eth0 ! -d 192.168.0.0/24 -j DROP
 
ifconfig eth1 up 192.168.1.1/24
iptables -I INPUT -i eth1 ! -d 192.168.1.0/24 -j DROP

Also...

Look at rp_filter (Reverse Path Filter) [1]

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox