Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 11 months ago.
Improve this question
When using raw sockets to create raw ethernet frames, the resulting packets are not traversing the iptables, even if the frames created represent valid ethernet + ip + upd packets. In my case this happens with the ISC-DHCP-client. I can understand why this happens and this is fine so far.
Thant being said, what additional infrastructure could I nevertheless put in place to get a chance to process those packets in iptables.
I'd be fine with stuff like (additional) virtual interfaces, bridges, or something like that. But so far I couldn't find the right combination of them.
I had a similar problem in a previous project where I had to man-in-the-middle a TCP session inside a LAN. To do so, on my gateway laptop I needed to route incoming traffic to a local process running the MITM attack. I used iptables but of course it was not working since the communications between the 2 hosts inside the LAN was happening at L2 not triggering the iptables. After A LOT of struggling I solved it in this way:
I created a bridge between the 2 interfaces that the attacked hosts used for communicate (say eth0 and eth1). Then you can use ebtables (man page ebtables) which allows to force frames matching a specific rule to go through iptables. E.g in my case:
ebtables −t broute −A BROUTING −i eth0 −p ipv4 −−ip−proto tcp --ip-dport 8009 −j redirect −−redirect−target DROP
The above rule is basically saying that: frames coming into eth0, carrying TCP packets destined to port 8009, should be sent to iptables.
Quoting the man page:
Making it DROP in the BROUTING chain will let the frames be routed.
If you want a good reference about the interaction iptables/ebtables, I used this one ebtables/iptables. Hope it can help.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I'm struggling with the Linux tool "iptables".
Following situation:
I have a RaspberryPi running with HASS (Home Assistant) connected via ethernet.
Now I want to add my inverter to home assistant, but this needs to be done by using his own WiFi network. So I need to forward requests to IP 11.11.11.1 (only this IP, not all trafic) to the wifi network.
Is that doable with iptables? Meaning defining a rule which says "target is 11.11.11.1, so lets put this to the wifi network".
I'm actually not sure whether iptables can do that or not. I read soming about nginx, but not sure how this would work.
iptables -A FORWARD -i eth0 -o wlan0 -p tcp --destination 11.11.11.1
That command did the trick. Now all TCP requests to 11.11.11.1 are forwarded to Wifi (wlan0) interface.
If someone sees any mistakes in that, please reply as I'm not really familiar with networks settings and Linux commands. Thx.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
For example.
Lets say we have the following linux server:
host-server: 54.215.128.59
This servers will only accept connections from the following ip : 159.65.32.123
If a hacker only knows this information.
Could he be able to trick the host-server that the conection is coming from 159.65.32.123?
This way he would be jumping any firewall established.
It isn't very likely. Nothing is stopping you from defining you own IP address to whatever you want. In linux you can do it with (assuming you network interface is eth0):
sudo ifconfig eth0 159.65.32.123/24
If you are behind a NAT then you'll have to change its address and not yours. However, ISPs should have anti-spoofing measures in place that block packets with an IP address they didn't assign you.
There is also the problem of the return path. When the server will want to send something to this address, the packet will be routed according to the routing rules of all the nodes in the way, which are unlikely to point to the hacker's ISP.
If you are on a LAN with the server then it should be more possible, though you will likely need to handle the collision of IP addresses, and the problem of spoofing IP addresses on a different subnet. One option is to use ARP poisoning and do a MitM between the server and the router.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am struggling with some problem, probably because there is simply not enough information on the web regarding some specifics I am trying to setup.
I have bought OpenVPN service via tun (routing).
I connect to the OpenVPN server through Raspberry PI (serving me as router), which has two interfaces - eth0 for handling Internet connection and wlan0 for my internal LAN.
My goal is to setup firewall in such way, that I can filter tun-ned income traffic and be able to reach web from LAN behind wlan0. Also - everything should go via VPN.
From the architectural point of view I think it should look like this:
INPUT, FORWARD - dropped,
OUTPUT - allowed,
eth0 allows to flow only packets via default OpenVPN service port,
tun adapter should have all INPUT-related policies applied and should be NAT-ted.
What you think - is this correct thinking? I have managed so far to be able to ping from SSH-ed Raspberry PI into web, but yet no DNS - do I understand correctly that I should have own DNS forwarder? DHCP server is set on Raspberry PI.
Thanks!
I have already solved the issue. For those which are interested - incoming packets from LAN are processed by openvpn client (tun/tap), then passed over internet-facing interface. So it was a mater of setting correct forwarding between interfaces. /etc/resolv.conf just had to been overwritten with global (like Google) DNSes to solve ping-related problem.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am trying to setup openvpn on a server so that I have 2 different tap interfaces (tap0 and tap1) and then a bridge connecting those interfaces. The idea is that a client on tap0 will be able to talk to a client on tap1 and vice-versa.
There is no physical NIC involved in the bridge and the Bridge interface is setup with no ip/netmask/broadcast.
I am able to ping between the 2 when they are both connected however I see no traffic when trying to tcpdump the bridge interface.
I am a bit confused on some things:
Do I need to have an ip configured on the bridge interface at all? I don't quite see the reason for it as all it will do is to make to virtual interfaces talk to each other
Is the fact that the bridge interface does not have an assigned ip/netmask/broadcast the reason I am not able to see the ping traffic on the bridge interface when tcpdumping that interface?
If the answer to number 2 is Yes, I assume that it is not either possible to use iptables to block/allow traffic on that interface, correct? If so is there any other way to accomplish what one would do with iptables on an interface like that?
I guess this wasn't the proper place to put this question but I thought I'd put an update anyway to close the issue.
Turns out that you do not need an assigned ip address on the bridge and it is possible to tcpdump. I happened to be working in containers which made the traffic go outside the vpn when pinging.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Hi All :) I have a simple question for who is strong in networking and iptables :)
I setup a test Apache server on 192.168.0.1, very simple, and want to concentrate all tcp/ip requests to it.. but unfortunately I cant find the working list options for iptables myself, something keeps not working..
So here what I need: I need to forward all eth0 frames TCP/IP requests directed to external IPs, instead towards the local 192.168.0.1:80 .
E.g. if my browser sends a HTTP request to external ip 1.2.3.4, the kernel has to "rewrite" the destination ip from 1.2.3.4 to 192.168.0.1:80, and send it to my Apache.
And of course the browser has to receive the answer back.
What is the list of rules? Thanks :)
Everything depends on where you want to apply that rule. On the machines generating the traffic? On the gateway? Somewhere else?
The solution for the machine making the request is:
iptables -t nat -A OUTPUT -m tcp -p tcp ! -d 192.168.0.1 -j DNAT --to-destination 192.168.0.1:80