Blocking the to-destination with NAT and iptables [closed] - linux

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 6 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have the following configuration:
ServerA: 192.168.168.200
ServerB: 172.23.10.10
They are separated by a RedHat box I'm trying to configure as a NAT device.
The box is configured as follows:
eth0: 172.23.10.1
eth1: 192.168.168.254
eth1:0: 192.168.168.10
I am trying to allow ServerA to only communicate with ServerB using the 192.168.168.10 address which should map via NAT to the 172.23.10.10 address.
ServerA (192.168.168.x) <-NAT ServerB (172.23.10.x)
I have configured the following iptables rule only on the RedHat box:
iptables -t nat -A PREROUTING -d 192.168.168.10 -j DNAT --to-destination 172.23.10.10
This appears to successfully implement the NAT translation. For example, when I ping 192.168.168.10 from ServerA it successfully reaches ServerB on it's 172.23.10.10 interface (and receives the response).
THE PROBLEM is that ServerA is still able to reach ServerB directly over 172.23.10.10, which I want to disallow.
How can I keep this NAT mapping in place, while blocking access to the actual destination address?

You didn't paste your full iptables output (iptables -vL -n nat), so this is a guess, but I'm betting, since it's RHEL, that your PREROUTING table has the default "ACCEPT" policy, so the traffic is skipping the NAT line, hitting the policy, and being accepted.
try:
iptables -n nat -P PREROUTING DROP

Related

iptables / forward request to specific IP to wifi network [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I'm struggling with the Linux tool "iptables".
Following situation:
I have a RaspberryPi running with HASS (Home Assistant) connected via ethernet.
Now I want to add my inverter to home assistant, but this needs to be done by using his own WiFi network. So I need to forward requests to IP 11.11.11.1 (only this IP, not all trafic) to the wifi network.
Is that doable with iptables? Meaning defining a rule which says "target is 11.11.11.1, so lets put this to the wifi network".
I'm actually not sure whether iptables can do that or not. I read soming about nginx, but not sure how this would work.
iptables -A FORWARD -i eth0 -o wlan0 -p tcp --destination 11.11.11.1
That command did the trick. Now all TCP requests to 11.11.11.1 are forwarded to Wifi (wlan0) interface.
If someone sees any mistakes in that, please reply as I'm not really familiar with networks settings and Linux commands. Thx.

Map ports on edge server to internal SSH services [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have a network.
There's an edge server with a public IP address.
There are multiple internal services 192.168.0.{1..255} with SSH running on port 22 that can be accessed via a private network from the edge server.
I have clients connecting from outside the network to the edge server on port range 30001-30255. I need to map these connections to internal SSH services like so:
ssh -p 30001 myedgeserver.com -> 192.6.0.1:22
ssh -p 30002 myedgeserver.com -> 192.6.0.2:22
...
ssh -p 30255 myedgeserver.com -> 192.6.0.255:22
Can this be achieved with iptables?
Yes. You make a nat for each of the 255 ports. I am unaware that you can do it in one line. So 255 lines like this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 30001 -j DNAT \
--to 192.6.0.1:22

iptables block access to all ports except from a partial IP address [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm looking to block all ips from my server and it's ports with the exception of a partial ip 198.55..*. I'd like to limit access to an ISP region do to the fact my personal ip isn't static with our ISP. How would I go about this? Our server was compromised this evening and I'm trying to kill all other traffic to it.
The code below seems to allow a specific ip, but does it block every other IP? Also if I use the x will that act like a wildcard?
iptables -A INPUT -s 74.231.64.xx -j ACCEPT
If you need to block all incomming traffic except an specific range, you should first change the default policy of the INPUT chain to DROP:
iptables --policy INPUT DROP
Then, you should give a netmask to iptables to allow many IP addresses altogether exceptionally. For example, if you need to only allow 74.231.64.1, 74.231.64.2, to 74.231.64.255, you can use following command:
iptables -A INPUT -s 74.231.64.0/24 -j ACCEPT
74.231.64.0/24 tells to iptables to apply the same role to all varying IPs between 74.231.64.1 to 74.231.64.255. Similarly, you can widen this range by passing 74.231.0.0/16 or 74.0.0.0/8 instead.
IMPORTANT NOTE: Before applying this change, you better have a direct access to the system, not an over-network access. This is because a miss type may block you from the server.

Linux iptable simple concentrator [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Hi All :) I have a simple question for who is strong in networking and iptables :)
I setup a test Apache server on 192.168.0.1, very simple, and want to concentrate all tcp/ip requests to it.. but unfortunately I cant find the working list options for iptables myself, something keeps not working..
So here what I need: I need to forward all eth0 frames TCP/IP requests directed to external IPs, instead towards the local 192.168.0.1:80 .
E.g. if my browser sends a HTTP request to external ip 1.2.3.4, the kernel has to "rewrite" the destination ip from 1.2.3.4 to 192.168.0.1:80, and send it to my Apache.
And of course the browser has to receive the answer back.
What is the list of rules? Thanks :)
Everything depends on where you want to apply that rule. On the machines generating the traffic? On the gateway? Somewhere else?
The solution for the machine making the request is:
iptables -t nat -A OUTPUT -m tcp -p tcp ! -d 192.168.0.1 -j DNAT --to-destination 192.168.0.1:80

icmp request received, but doesn't reply [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 4 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I set up 3 CentOS servers, configured server2 as router between 192.168.1.0/24 and 30.0.0.0/24, but ping can't get through.
I tried ping 192.168.1.62 from server1, according to tcpdump on server3, ICMP request is received, but it doesn't generate ICMP response.
23:36:06.436243 IP 30.0.0.2 > 192.168.1.62: ICMP echo request, id 23570, seq 2838, length 64
23:36:07.436212 IP 30.0.0.2 > 192.168.1.62: ICMP echo request, id 23570, seq 2839, length 64
Setup
Servers
server1:
eth0 - 30.0.0.2
server2:
eth0 - 192.168.1.61
eth0:0 - 30.0.0.1
server3:
eth0 - 192.168.1.62
Routing
route info on server1:
0.0.0.0 30.0.0.1
route info on server3:
30.0.0.0/24 192.168.1.61
I was receiving ICMP packets but did not see them go out. The problem was related to the traffic traversing multiple interfaces and reverse path filtering being on by default...
I've enabled martian source logging first:
$ echo 1 >/proc/sys/net/ipv4/conf/eth2/log_martians
Then there are several options for what to do with them... I'm enabling loosely handling them:
$ sysctl net.ipv4.conf.all.rp_filter=2
See these for details:
http://lartc.org/howto/lartc.kernel.html
https://access.redhat.com/site/solutions/53031
Run tcpdump with -e flag and see if the destination MAC address is correct.

Resources