We are trying to implement something like bump in the wire sceario with the kubernetes pod running as bump.
so basically we have traffic for a paticular destination we intercept the traffic in kubernetes pod and throw it again towards destination .
To run this scenario we started of with squid proxy which would redirect the outgoing traffic to kubernetes pod(bump) and once inside pod we would run iptables rule to redirect the processed packets again to destination ip.
The iptables rule used : iptables -t nat -A PREROUTING -p tcp --dport 3124 -j DNAT --to-destination 1.1.1.1
however this iptable rule does not work(also i need the returning traffic to be redirected to original destination ie after getting processed in pod)
so say destination is 172.172.172.172(some ip outside the cluster) squid has been setup to redirect this destination traffic to service which has node port enabled(hence new destination is minionip:nodeport). when the traffic reaches the pod.. after processing the data outgoing traffic has to be set to original destination(172.172.172.172) instead of going back
I cant seem to find a way. is there any iptable rule to do so taking in consideration of kubertes setup iptables rules.
also is there any other elegant way to do so.
please help.
Related
I'am making a CloudFlare Zero Trust connection as cloudflared in Debian 11 linux server.
Everything is working, where firewall is disabled.
When user go to xx.yyy.com is redirecting to log in with CloudFlare Access, then (when access is granted) user can see log in option of Portainer.
Portainer is in the docker container, and Portainer ports are on loopback interface.
"127.0.0.2:8000->8000/tcp"
"127.0.0.2:9443->9443/tcp"
I have a problem when I'm turning on the iptables firewall with INPUT, FORWARD and OUTPUT rules for DROP, even if I have:
iptables -A INPUT -i lo -j ACCEPT
The error is:
"error="Unable to reach the origin service."
Of course, common iptables rules are used and CloudFlare IP addresses (and zero trust addresses) are white-listed.
Could anybody help me, please? :D
Have a wonderful day!
There is a docker container running in bridge network mode. Inside the container, it creates a connection to, say, 10.123.123.1:6666. I'd like to block this connection on host through IPTABLES, something like sudo iptables -I OUTPUT -p tcp -d 10.123.123.1 -j DROP, but it doesn't work. Could anyone help me on this please?
I can't even see this connection on host by command netstat -an, but I can see it inside the container.
I don't have to use IPTABLES, but I can't change the configuration of the docker running.
These packets are going through INPUT & OUTPUT chains in the container's network namespace, and not in the host's network namespace.
All your host network namespace does is forward these packets so you need to alter the FORWARD chain with a rule similar to iptables -I FORWARD -p tcp -d 10.123.123.1 -j DROP. Bear in mind that Docker alters iptables rules which may punch holes in the firewall.
I am looking for the right command to open ports only to specific domains. The domain and its subdomain, go to the same server (CentOS)
However, for security reasons, I only want to open the posts on specific subdomains.
On the other domains the ports should not be reachable, so the ftp port 21 should only be open on ftp.domain.com and not on e.g. ssh.domain.com or mysql.domain.com
So I want to block everything (exclude port 80 and 443) and only allow specific ports to specific domains.
example
21 on ftp.domain.com
22 on ssh.domain.com
3306 on mysql.domain.com
I know it should work with iptables, but unfortunately I have trouble finding the right command.
I have found this only but i will only accept incoming ports.
iptables -A OUTPUT -p udp --sport 53 -m string --string "google.com" --algo bm -j ACCEPT
Maybe you have a more elegant solution than iptables.
You can do this by using some reverse proxy server. The proxy server can filter the desired traffic to the actual service.
So how it will work is -
Let all your request come to reverse proxy server. eg. HAPROXY or nginx (both work at Layer 4 and 7)
Put a rule for the hostname in the proxy server config.
Forward the desired traffic to the actual host.
I have a running AWS EC2 instance on an Ubuntu machine running a Nodejs server.
Everything works fine then opening the website via its public ip on port 3000 likes this:
http://XX.XXX.XXX.XXX:3000
Now I want to redirect all requests from port 80 to this port 3000 via iptables like described in this video: https://www.youtube.com/watch?v=WxhFq64FQzA via
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000.
Unfortunately I am getting this error: http://prntscr.com/lja6hx when opening the site like this: http://XX.XXX.XXX.XXX (without port 3000 specified)
P.S.: I'm not really sure if my approach is correct. I am open to other ways of achieving a redirect from port 80 (http) to port 3000
As #Vorsprung suggested I should use an Application Load Balancer. I did this but it's still not working. Here is my setup:
My Application Load Balancer Listener
The Target Group I'm forwarding to in my ALB
My hosted zone (I've added the alias for the ALB here)
Please let me know if something is missing
either use nginx see https://nodebb.readthedocs.io/en/latest/configuring/proxies/nginx.html
or
you are on AWS! Use an ALB.. see https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-tutorials.html
I use linux router for accessing internet via PPPoE. This box has two interfaces: eth0 for internal LAN and eth1 for establish a ppp0-interface on a PPPoE-Modem. For firewalling and port forwarding I use iptables with nat.
This works as expecting: I can go in the internet from the LAN, I can access certain service in the LAN from outside by port forwarding:
iptables -t nat -A PREROUTING -p tcp --dport 9999 -DNAT --to 192.168.2.10:22
(as an example for accessing the ssh-port of a certain machine inside my LAN from outside)
But I want to access a single machine (192.168.8.2) on the WAN-Port eth1 from inside of the LAN:
for this reason, the eth1 is configured as:
ip addr add 192.168.8.1 dev eth1
So I can ssh 192.168.8.2 from the console on the router. This works as expected. but I want to access this also from machines from the LAN.
iptables -t nat -A PREROUTING -p tcp --dport 9997 -DNAT --to 192.168.8.2:22
but this isnt going to work. I see packets coming from my LAN-side-machine going in on eth0 and addressing 192.168.8.2, but I dont get an answer.
can someone point me to, where my error is?
thanks in advance
Marco
Unless the server (192.168.8.2) knows how to get back to the computers on the LAN (would have to check routing for traffic coming back from that server), you would have to add a -t nat POSTROUTING rule on the router to make it look like it's traffic that's going out from the router (which I would guess is already accessible from 192.168.8.2). The the traffic would be able to get back to the router when the server is responding and the router would take care of unNATing it.