I am trying to implement wireless access point on my embedded platform. I have implemented some parts like running wireless card as access point, dhcp server and some forwarding rules (via iptables).
I have tried several iptables commands. results of all are the same. The last one I decided to use is:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
Access point runs successfully, clients can connect to it and get ip address. However there is DNS problem. Clients could not resolve the hostnames but they can connect via ip addresses.
DHCP configuration is as below:
interface wlan0
start 192.168.7.11
end 192.168.7.20
max_leases 10
option subnet 255.255.255.0
option router 192.168.7.1
#option dns 192.168.7.2 192.168.7.4
option domain local
option lease 864000
lease_file /conf/udhcpd.leases
#pidfile /tmp/udhcpd.pid
For this configuration, If I use 'option dns 8.8.8.8 8.8.4.4' I can resolve the problem but I need to use the dns of the network. Is there any way to forward the dns address 192.168.7.2 to the dns address of the wired network (eg. 192.168.0.2).
I could not find the DNS routing (eg. 192.168.7.2 to 192.168.0.2). But I have found a way to use the DNS address of the embedded platform on clients.
in DHCP server configuration, I used this option:
option dns 192.168.0.2 192.168.0.4 (conf file are generated when access point is started, so the dns addresses are obtained from the system )
after DHCP server is run, I have run these commands to forward dns addresses:
iptables -A FORWARD --in-interface eth1 -m tcp --sport 53 -j ACCEPT
iptables -A FORWARD --in-interface eth1 -m udp --sport 53 -j ACCEPT
Related
I am running a system with the following configuration:
NODE A <-> PROXY <-> SWITCH <-> PROXY <-> NODE B
Where node A and its proxy share a common private network, node b and its proxy share a common private network, and the proxy's are connected to the switch.
I have configured each as such:
#nodeA
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip addr add 192.168.0.1/29 dev enp0s8
iptables -t nat --flush
sudo route add default gw 192.168.0.2 enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
#proxy a
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip link set enp0s9 up
ip addr add 192.167.0.1/26 dev enp0s9
ip addr add 192.168.0.2/29 dev enp0s8
sudo sysctl net.ipv4.ip_forward=1
iptables -t nat --flush
sudo route add default gw 192.167.0.2 enp0s9
sudo ip route add 192.168.0.0/29 via 192.168.0.2 dev enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
#proxy B
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip link set enp0s9 up
ip addr add 192.167.0.2/26 dev enp0s9
ip addr add 192.168.0.10/29 dev enp0s8
sudo sysctl net.ipv4.ip_forward=1
iptables -t nat --flush
sudo route add default gw 192.167.0.1 enp0s9
sudo ip route add 192.168.0.8/29 via 192.168.0.10 dev enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
#node B
#!/bin/sh
#Aliases
alias ip='sudo ip'
alias iptables='sudo iptables'
#interfaceconfiguration
ip link set enp0s8 up
ip addr add 192.168.0.9/29 dev enp0s8
iptables -t nat --flush
sudo route add default gw 192.168.0.10 enp0s8
iptables --policy INPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy OUTPUT ACCEPT
I then have this simple server client code running on NODE A and NODE B just to have some traffic going through the network:
import socket
import sys
#NODE A - SERVER
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.0.1', 10000)
sock.bind(server_address)
while True:
data, address = sock.recvfrom(4096)
print(data.decode())
import socket
import sys
#NODE B - CLIENT
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
server_address = ('192.168.0.1', 10000)
while True:
sock.sendto(input("Message to send:").encode(), server_address)
My question is, how can I, at the proxy level intercept these messages to bring them up to the application level so that I can work with them as to add a layer of encryption for example then send them back out to their destination so that the proxy on the other side can decrypt the message.
Thank you
This is a perfectly good debugging loop:
while True:
data, address = sock.recvfrom(4096)
print(data.decode())
Once you see that the right datagrams are arriving,
that loop will be a natural place to forward datagrams
to your favorite destination.
Ensuring that your listening socket was properly bound can be a tricky thing,
given that you have several addresses and interfaces to worry about.
Consider using $ sudo tcpdump -i en0 udp port 10000 to examine
datagrams in flight, before you even run that debugging loop.
You can use the command on the sending host,
on an intermediate transit host,
and on the destination host.
By viewing $ ifconfig -a you may find that an interface besides en0,
perhaps a tunnel interface, is relevant for reading the packets you're interested in.
Once you know certain packets are flowing,
that tends to make it easier to correctly specify the bind() parameters.
I think you're approaching this from the wrong way around. Namely, if you want to "work with" packets on the proxy, then you don't want to be telling the kernel to do any IP level forwarding
the Linux tun/tap interface would let you do this, see here for an example of how this is used with a VPN. although there are Python packages that help if you really want Python code to be doing the work
as a minor side note, I've generally found it an anti-pattern to put sudo onto basically every line of a script as you have. I'd just run the entire script via sudo and just have the code in it assume this is the case.
I have a website with subdomains for my clients (wildcard subdomain)
client1.test.com
client2.test.com
I want my clients to use their own domain If they want.
what kind of record needs to be added to point
client1.com => client1.test.com
shop.client1.com => client1.test.com
I´m using the free plan of cloudflare for www.test.com but I´m open to
change it if it can´t be done
CNAME records would work for that. You could also use A records to point to the same IP as test.com
You need modify the cname to redirect your client1 IP on their domain provider to client1.test.com
You need modify the cname to redirect your client2 IP on their domain provider to client2.test.com
CNAME setup on cloud flare is for paid plans only
https://support.cloudflare.com/hc/en-us/articles/200168706-How-do-I-do-CNAME-setup-
You might also want to check
https://support.cloudflare.com/hc/en-us/articles/200168826-Does-Cloudflare-support-wildcard-DNS-entries-
You simply need to understand DNS records and how they work. You can find a good resource for this here, the most important of which is 'A record' in your case.
In summary however, before your clients can point their own domain to your system, they will have to configure their domain host records to point to your server/IP address.
For you, you don't have to do anything in Cloudflare but on your server. Say you have configured your webserver to recognize client1.test.com but client1 decides to use a domain client1.com and shop.client1.com, you have to set your webserver block for client1.test.com to also recognize these two domains aliases in addition to the original subdomain.
With Nginx, this will look like:
Server {
...
ServerName client1.test.com shop.client1.com client1.com
...
You could take a look at this script if you are looking for how to automate this process.
Maybe you could use CNAME Record like this:
client1.com CNAME client1.test.com.
shop.client1.com CNAME client1.test.com.
The dot at the end is to tell the DNS not to complete your entry with the default-Domainname.
If you not must use an DNS to redirect, you also be free to use You even could do it by IPTables Forwarding. Good at this solution... you can decide which port will point to which ip... this way you could forward webserver to the Server of your Customer, but leave Mail at your server (for example)
Here how forward a port to another host that has an external IP:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -j LOG --log-prefix="PreRouting $port..:"
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $port -j DNAT --to $ip:$port
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -s $ip --sport $port -j LOG --log-prefix="S Forward $port.."
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -s $ip --sport $port -j ACCEPT
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -d $ip --dport $port -j LOG --log-prefix="D Forward $port.."
sudo iptables -A FORWARD -p tcp -i eth0 -o eth0 -d $ip --dport $port -j ACCEPT
You also have to add this command to set on your network stack:
sudo sysctl -w net.ipv4.ip_forward=1
This will work in a default DENY IPTables setup.
So I'm currently trying to use a raspberry pi as a sort of range extender where you connect wlan0 to an access point, and the hostapd AP setup on the interface wap0 routes all traffic through wlan0. The chain would look like this:
Wireless Client---> wap0 AP ---> wlan0 ---> Network Gateway ---> Internet
I currently have my iptables rules setup as follows:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i wap0 -o wlan0 -j ACCEPT
-A FORWARD -i wlan0 -o wap0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING ACCEPT
-A POSTROUTING -o wlan0 -j MASQUERADE
ip_forward is also set to 1
What I've found after looking at some tcpdumps is that the outgoing traffic from wap0 to wlan0 does in fact get forwarded, but I never receive any responses to this traffic on wlan0. If the traffic originates from the raspberry pi (like a ping to www.google.com), I get a response. However any traffic coming from a client connected to wap0 and routed through wlan0 gets no response.
It is worth noting, however, that even when I flush all of the ip rules and fire up a tcpdump session on wlan0, I can still see traffic from wap0 being routed to the interface.
wap0 is setup to put all of its clients on the 192.168.8.0/24 subnet, and the subnet of the network wlan0 is connected to is 10.118.30.0/24. Does anyone know what I'm doing wrong?
I am trying to configure networking on QEMU malta mips, which is running on vmware host (ubuntu) using tap/tun device and bridge interface. My qemu guest is unable to retrieve ip address from DHCP server. If i give it manually, it can just connect with its host. Using tcpdump i came to know that outgoing traffic is working perfectly but incoming is not working.
Can anyone suggest me how to solve this kind of issue?
Thank You
If you use NAT mode, then your host machine will act as a router for your guest VM. This means you must enable routing on your host.
Assuming you start qemu and link it to tap0 interface and your outgoing internet interface is eth0, then you should:
Create the tap0 virtual interface:
tunctl -t tap0
ifconfig tap0 192.168.0.1 netmask 255.255.255.0 up
Activate routing
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Create forwarding rules, where
# tap0 - virtual interface
# eth0 - net connected interface
iptables -A FORWARD -i tap0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tap0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Start your VM with somenthing like this:
qemu [..] -net nic,model=e1000,vlan=0 -net tap,ifname=tap0,vlan=0,script=no
In your VM, configure an interface with ip 192.168.0.2/24 and default gateway 192.168.0.1
In NAT mode you can't achieve this. You need to configure VM in bridge mode and I hope you know the steps to configure it; if not see the link here ;
Step #2 of catalin.me's answer could be even simpler:
# activate ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
First two iptables rules are needed only in case if default policy for FORWARD chain is DROP.
E.g.:
iptables -P FORWARD DROP
I have a question regarding Linux NAT-ing on my own IP address.
Suppose I have an network interface, say eth0. It is given an IP address of 127.0.0.2. Now I apply a NAT rule in Linux saying that:
Any traffic with a source IP of 127.0.0.2 should be changed to a source IP of 192.168.0.2.
What source IP will I see in the packets sent out of eth0? In other words, will the NAT rule be applied to the packets originating from my own machine?
Thanks!
Jin
you can use postrouting for the same
iptables -t nat -A POSTROUTING -s 127.0.0.2 -o eth0 -j SNAT --to 192.168.0.2