iptables and redirection traffic from one PC to another
Hello, This is my firewall script: sudo iptables -F sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT sudo iptables -L I want to run it on Raspbian which is behind my home router. I forwarded the whole incoming traffic from my router to the RPI using the DMZ function (NAT 1:1). The -A INPUT part of the script works! :) I can access only 22005 and 80 from the Internet and every other port on the LAN subnet and lo interface. The thing is that the port forwarding part isn't working :( sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT I want to redirect the 81 port of my RPI to my home PC's 80 port (web serwer). I found this in Google. Of course I also enabled IPv4 forwarding in sysclt: sudo sysctl -w net.ipv4.ip_forward=1 And am I dropping the packets correctly or should I use default policy instead? This way is simpler to understand. Is there something that I am doing wrong in this script? -- Best regards, Aleksander Kurczyk -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dub125-w47a470a9d5966f19a1cf9cda...@phx.gbl
Re: iptables and redirection traffic from one PC to another
I think you miss accept input traffic from port 81. You can add logging messages or run tcpdump to see what traffic are dropped. Regards. Fernando. El 14/02/2014 14:44, Aleksander Kurczyk akurc...@outlook.com escribió: Hello, This is my firewall script: sudo iptables -F sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT sudo iptables -L I want to run it on Raspbian which is behind my home router. I forwarded the whole incoming traffic from my router to the RPI using the DMZ function (NAT 1:1). The -A INPUT part of the script works! :) I can access only 22005 and 80 from the Internet and every other port on the LAN subnet and lo interface. The thing is that the port forwarding part isn't working :( sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT I want to redirect the 81 port of my RPI to my home PC's 80 port (web serwer). I found this in Google. Of course I also enabled IPv4 forwarding in sysclt: sudo sysctl -w net.ipv4.ip_forward=1 And am I dropping the packets correctly or should I use default policy instead? This way is simpler to understand. Is there something that I am doing wrong in this script? -- Best regards, Aleksander Kurczyk -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dub125-w47a470a9d5966f19a1cf9cda...@phx.gbl
RE: iptables and redirection traffic from one PC to another
Hi, Now my firewall looks like this: sudo iptables -F sudo iptables -P INPUT DROP sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.10:80 I've found that if the FORWARD -a default policy is to accept everything I don't have to use the second rule. I think that the problem is that my Raspberry is not mine router so the PC is responding directrly to the router which in turns don't know what to do. Is there a way to make iptables make my PC responding to it and then to the router - some IP level proxy etc.? -- Best regards, Aleksander Kurczyk Date: Fri, 14 Feb 2014 14:58:04 +0100 Subject: Re: iptables and redirection traffic from one PC to another From: fernando.vic...@gmail.com CC: debian-user@lists.debian.org To: debian-user@lists.debian.org I think you miss accept input traffic from port 81. You can add logging messages or run tcpdump to see what traffic are dropped. Regards. Fernando. El 14/02/2014 14:44, Aleksander Kurczyk akurc...@outlook.commailto:akurc...@outlook.com escribió: Hello, This is my firewall script: sudo iptables -F sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24http://192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -j DROP sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80http://192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT sudo iptables -L I want to run it on Raspbian which is behind my home router. I forwarded the whole incoming traffic from my router to the RPI using the DMZ function (NAT 1:1). The -A INPUT part of the script works! :) I can access only 22005 and 80 from the Internet and every other port on the LAN subnet and lo interface. The thing is that the port forwarding part isn't working :( sudo iptables -t nat -A PREROUTING -p tcp --dport 81 -j DNAT --to 192.168.1.2:80http://192.168.1.2:80 sudo iptables -A FORWARD -p tcp -d 192.168.1.10 --dport 80 -j ACCEPT I want to redirect the 81 port of my RPI to my home PC's 80 port (web serwer). I found this in Google. Of course I also enabled IPv4 forwarding in sysclt: sudo sysctl -w net.ipv4.ip_forward=1 And am I dropping the packets correctly or should I use default policy instead? This way is simpler to understand. Is there something that I am doing wrong in this script? -- Best regards, Aleksander Kurczyk -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.orgmailto:debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.orgmailto:listmas...@lists.debian.org Archive: http://lists.debian.org/dub125-w47a470a9d5966f19a1cf9cda...@phx.gblhttp://lists.debian.org/DUB125-W47A470A9D5966F19A1CF9CDA9C0%40phx.gbl -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dub125-w71cb6b8f3625a9cbfbf212da...@phx.gbl
Re: iptables and redirection traffic from one PC to another
On Fri, 14 Feb 2014 16:32:21 +0100 Aleksander Kurczyk akurc...@outlook.com wrote: Hi, Now my firewall looks like this: sudo iptables -F sudo iptables -P INPUT DROP sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.10:80 I believe this '--to' should be '--to-destination', I have an old rule using the latter, but I haven't run any traffic through it for a few years, and iptables does evolve slowly, so things might be different now. I've found that if the FORWARD -a default policy is to accept everything I don't have to use the second rule. I think that the problem is that my Raspberry is not mine router so the PC is responding directrly to the router which in turns don't know what to do. Is there a way to make iptables make my PC responding to it and then to the router - some IP level proxy etc.? Your problem here is that the default gateway of your PC is the router, not the Pi. This is normally avoided by using a two-NIC computer as the firewall-router, when this machine become the network default gateway. You may be able to make the Pi the default gateway for the PC, and add enough forwarding rules to the Pi firewall to allow the PC the Internet access it needs. Alternatively, you could try routing rules in the PC firewall (assuming it is a Linux machine) which would return packets with a source port of 80 to the Pi instead of the default gateway. But try '--to-destination' first, as the Pi might currently not be re-writing the source address of packets sent to the PC, and this might make a difference. I can't say for sure as my rule worked, but that was via a two-NIC machine which was the network default gateway, so re-writing might not have been occurring. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140214160449.7f0c6...@jretrading.com
RE: iptables and redirection traffic from one PC to another
Hello, I've tried with this parameter - --to-destination but it's still not working. I have no two nics nor in PC nor in RPI. Is there a way then to change the source IP address during the forwarding process? -- Best regards, Aleksander Kurczyk Date: Fri, 14 Feb 2014 16:04:49 + From: j...@jretrading.com To: debian-user@lists.debian.org Subject: Re: iptables and redirection traffic from one PC to another On Fri, 14 Feb 2014 16:32:21 +0100 Aleksander Kurczyk akurc...@outlook.com wrote: Hi, Now my firewall looks like this: sudo iptables -F sudo iptables -P INPUT DROP sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 22005 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 81 -j ACCEPT sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT --to 192.168.0.10:80 I believe this '--to' should be '--to-destination', I have an old rule using the latter, but I haven't run any traffic through it for a few years, and iptables does evolve slowly, so things might be different now. I've found that if the FORWARD -a default policy is to accept everything I don't have to use the second rule. I think that the problem is that my Raspberry is not mine router so the PC is responding directrly to the router which in turns don't know what to do. Is there a way to make iptables make my PC responding to it and then to the router - some IP level proxy etc.? Your problem here is that the default gateway of your PC is the router, not the Pi. This is normally avoided by using a two-NIC computer as the firewall-router, when this machine become the network default gateway. You may be able to make the Pi the default gateway for the PC, and add enough forwarding rules to the Pi firewall to allow the PC the Internet access it needs. Alternatively, you could try routing rules in the PC firewall (assuming it is a Linux machine) which would return packets with a source port of 80 to the Pi instead of the default gateway. But try '--to-destination' first, as the Pi might currently not be re-writing the source address of packets sent to the PC, and this might make a difference. I can't say for sure as my rule worked, but that was via a two-NIC machine which was the network default gateway, so re-writing might not have been occurring. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140214160449.7f0c6...@jretrading.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/dub125-w15560afce373e0834a904dda...@phx.gbl
