I am trying to forward/clone traffic from my host machine to my docker container using IPtables command.
I am able to receive traffic inside my container via iptables TEE command. However, this command changes the ethernet header by replacing SRC ethernet mac with host ethernet mac. I am interested in collecting this data for my project.
Is there any other way I can achieve this?
Commands used:
1. iptables -t mangle -I PREROUTING -i <host_interface_name>-p tcp -j TEE --gateway <container_ip>
2. iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination <container_ip:port>
IPtables operate at the network layer and route the packet from the host where the rules were added. Therefore, we cannot avoid update of the source mac. I've tried using TPROXY, FORWARD, ACCEPT. Found the documentation for this at https://ipset.netfilter.org/iptables-extensions.man.html#lbDU
Achieved my requirement using : Linux TC. Simple inbuild Linux Traffic Controller can be used for shaping traffic moving through your interfaces.
https://man7.org/linux/man-pages/man8/tc-mirred.8.html
Related
In Ubuntu 16.04LTS, I typed the folllowing lines:
iptables -F
iptables -X
iptables -A INPUT -m mac --mac-source 1C:**:2C:**:72:**:78 -j ACCEPT
here is the result of iptables -L -nvx.
I can't access my web server (port 80) with the machine that MAC address is
1C:**:2C:**:72:**:78.
However, with rule iptables -P INPUT ACCESS on the web server, it works well.
Could anyone give me any solution or advice for this?
Thanks.
I believe that it will not work with you except that your PC is on the same LAN with the WEB server.
Because if you where on different LAN then your packets will reach the server with the mac address with the latest network interface before the web server (which is the network switch interface mac address).
So you can filter the packets based on MAC address only if you where on the same LAN.
You need to supply the MAC address in the form xx:xx:xx:xx:xx:xx, not with :: in between. I.e.:
iptables -A INPUT -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
From man iptables:
--mac-source [!] address
Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.
I'm conecting to a VPN in Windows to access a remote computer (Linux) with a static IP. From this remote computer I have access to different machines (database, svn, etc.).
I am trying to set up my remote computer to have access from my Windows machine to the database, the svn server, etc, because working on a remote connection is very slow.
So I tried the next lines in /etc/rc.local, but it doesn't work:
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -d B1.B2.B3.B4 --dport 89 -j DNAT --to R1.R2.R3.R4:89
/sbin/iptables -A FORWARD -p tcp -d R1.R2.R3.R4 --dport 89 -j ACCEPT
Where B1.B2.B3.B4 is my remote database IP, 89 is the port we use to access the database, and R1.R2.R3.R4 is my remote machine IP.
What is wrong in this configuration?
Thanks.
Make sure ip_forward is enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
Also, you need to make sure the VPN pushes routes for B1.B2.B3.B4 to your Windows machine when connecting; if not, you'll have to add the routes yourself.
I think the MASQUERADE rule should be enough, but write it like this:
iptables -t nat -A POSTROUTING -s WINDOWS_BOX_VPN_IP -j MASQUERADE
But if you don't want to mess with iptables, you can use SSH to setup tunnels to your remote services, for example (you need some Windows SSH client that can create tunnels, I'm giving an example how to run this from a linux box):
ssh user#R1.R2.R3.R4 -L 8989:B1.B2.B3.B4:89
This will create a tunnel on localhost:8989 which will forward the connection to B1.B2.B3.B4:89 (look for "Local port forwarding", http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/ )
At the end I found Rinetd that allows TCP redirections with an easy configuration.
According to my question, the configuration I had to add in /etc/rinetd.conf is:
R1.R2.R3.R4 89 B1.B2.B3.B4 89
Then I run Rinetd:
/usr/sbin/rinetd
And that's all.
If you want to run it automatically everytime you restart your computer, you can add the command before in the file /etc/rc.local
i REALLY need some help before my laptop goes through the wall.
I want to run a virtual machine through tor middlebox. I want the entire VM`s connection to go through the tor network. (Im wanting to setup my hidden service and for my needs this will work best)
I started by looking here - http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
I know this is old but i figured i`d give it a go anyway.
For reference my Host machine is running Ubuntu 13.04 and the VM will be running 12.04LTS. On virtualbox
Well i have tor installed as per the guide, i have gone though the setup steps. But it didnt work. My VM will not connect to the net. I checked ifconfig and i am recieving an ip address, but i cant get a connection to the web to check i am running through tor.
I`ve spent a good few hours on this but i cant get it working, im just at point and click mode now. Looked at so many sites, and almost all of them point back to the original. I have tried tweaking the settings, and looked at numerous forums. But i cant get this working.
If i try using the tor browser bundle, it refuses to start tor, stating the it hasn`t got permission or cant listen on 172.16.0.1:53. tried using vidalia bundle for the tor install but that refuses to find the tor exec (not really an issue)
Here are the settings i am trying to run with...
/etc/network/interfaces
as stated in guide
/etc/dnsmasq.conf
interface=vnet0
listen-address=192.168.1.1
dhcp-range=172.16.0.2,172.16.0.254,1h
/etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
TransListenAddress 192.168.1.1
DNSPort 53
DNSListenAddress 172.16.0.1
DNSListenAddress 192.168.1.1
middlebox.sh
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"
# the UID Tor runs as
TOR_UID="109"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
Does this article help you? http://www.mike-warren.com/articles/routing-vm-traffic-through-tor.html
The short version is:
host runs a tun/tap device
host runs a VDE switch (which puts packets from the VM into the tap device)
host has iptables NAT rules to shovel tap device traffic into Tor
host runs Tor as transparent proxy
VM has static IP, connected to VDE switch
Instead of all that, you could run TAILS instead. https://tails.boum.org/
Consider running tails as vm guest.
Use a vm snapshot to avoid booting from tails live dvd (iso)
Assuming that I am the Server, and I want to watch bandwidth of downloading and uploading for the specific MAC address. With the uploading monitor chain. I use this:
iptables -N clientA_upload and then iptables -A FORWARD -m mac --mac-source 00:11:22:33:44:55:66 and it works just fine. - But when it comes to the downloading chain. I use iptables -A FORWARD -m mac --mac-destination 00:11:22:33:44:55:66 and the iptables doesn't support the mac-destination. Please help me out
P/s: I just want to monitor by MAC address. Not ip address. Because in android OS. It doesn't support byte countering using IP address. So please help !!!
For the missing --mac-destination the trick is to combine iptables --mac-source with CONNMARK:
First use --mac-source to match packets coming from the mac address you're interested in.
use CONNMARK to mark the whole connection, ie both directions (!) and
now check packets going in the other direction with the connection mark.
# lan interface
if_lan=eth0
# packets going to mac address will pass through this:
iptables -t mangle -N clientA_download
# mark connections involving mac address:
iptables -t mangle -A PREROUTING -i $if_lan -m state --state NEW -m mac --mac-source 00:11:22:33:44:55 -j CONNMARK --set-mark 1234
# match packets going to mac address:
iptables -t mangle -A POSTROUTING -o $if_lan -m connmark --mark 1234 -j clientA_download
Initially i thought this would only work for tcp connections originating from the lan, but given the definition of --state NEW it should work in both directions for both tcp and udp (!)
For counters see also ipset which is very nice for this.
Policy Routing on Linux based on Sender MAC Address was the inspiration for this answer.
There is no such thing as --mac-destination. You have to move to ebtables for that.
You are confusing downloading and uploading rules.
Rule 1: iptables -A FORWARD -m mac --mac-source 00:11:22:33:44:55:66
is appended to the ipchain and checks the given mac in forwarding chain.
Now you need to check your mac in input chain, so instead of applying the second rule in FORWARD chain, apply it in INPUT chain:
Rule 2: iptables -I INPUT -m mac --mac-destination 00:11:22:33:44:55:66
I am making a packet filtering program running on Ubuntu 12.04 which uses libipq as the library for copying packets into userspace. The logic of libipq works fine for me, my issue is that I have noticed a significant performance hit from using libipq to not using libipq. If I remove my iptable rules that I added for my program and let the kernel handle the packets, the speed is 50 MB/s. However, when using libipq and having restored my iptables rule, the speed goes down to 1 MB/s (if i'm lucky), it's usually half of that.
I wonder, could something be wrong with my iptable rules? Could there be a more efficient use of rules, or is libipq simply that inefficient (or my code even though I don't do that much)? Here is the script I use to setup my iptable rules:
#!/bin/sh
modprobe iptable_filter
modprobe ip_queue
iptables -A FORWARD -p icmp -j QUEUE
iptables -A FORWARD -p tcp -j QUEUE
iptables -A FORWARD -p udp-j QUEUE
iptables -A INPUT -p icmp -j QUEUE
iptables -A INPUT -p tcp -j QUEUE
iptables -A INPUT -p udp -j QUEUE
Other than that, my iptable rules are the default set that came with Ubuntu.
NOTE: My setup is for a client and server VM on two different subnets and using my Ubuntu VM to bridge both using NAT and ip masquerading.
Libipq has been deprecated in favour of the newer libnetfilter_queue