Iptables Basics
IPTABLES Basics
install and start iptables
yum install iptables-servicessystemctl start iptablesenable ipv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forwardBasic Commands
delete existing NAT rule (get line number from above)
iptables -t nat -D POSTROUTING <line number>
check existing NAT routing rules
iptables -t nat -v -L POSTROUTING --line-number
restore rules from a file
iptables-restore < /tmp/iptables.bkup
save all current rules to a file
iptables-save > /tmp/iptables.bkup
check NAT rules
iptables -t nat -L -n
check current forwarding rules
iptables -L -n
add Debug log to prerouting rule #3 (tail syslog)
iptables -t nat -I PREROUTING 3 -j LOG
block port
iptables -A OUTPUT -p tcp --dport 2500 -j DROP
allow a port
iptables -A INPUT -p tcp --dport 2500 -j ACCEPT
block an IP address
iptables -A INPUT -s 192.130.2.4 -j DROP
block range of IPs
iptables -A INPUT -s 192.168.2.0/24 -j DROP
allow IP address
iptables -D INPUT -s 192.130.2.4 -j DROP
Forward a Port to another server
we have 2 servers, A and B
want to connect to port 8331 on A (but service is running on B)
forwarding a request to A:8331 > B:8331
connecting from external server C
add a rule to forward from server A (1.1.1.1) to server B (2.2.2.2), port 8331
A> sudo iptables -t nat -A PREROUTING -p tcp --dport 8331 -j DNAT --to-destination 2.2.2.2:8331
now add a rule to change the packet's SOURCE IP to be that of server A instead of external server C (original packet source IP is that of C)
A> sudo iptables -t nat -A POSTROUTING -p tcp -d 2.2.2.2 --dport 8331 -j SNAT --to-source 1.1.1.1
now netcat to server A from external server C
C > netcat A 8331 -v
Connected!
Connect to service via backbone interface
This approach is used when you have 2 servers, need to connect to an interface on 2nd server that you can't hit from your 1st server. The method is to use a common interface that can talk to 2nd server, as a backbone to route all packets and drop them off at appropriate interfaces
both servers have a common management interface em1 (they can talk to each other over em1, same gateway)
both have a Solarflare interface p1p1 (different gateways so cant talk to each other)
service is running on CH1 server, port 2400 (on p1p1 interface)
customer is connecting via NY1 p1p1 interface
need to route connection via NY1 > p1p1 > em1 > CH1 > em1 > p1p1 > back to customer
visual flow,
1. customer is connecting to NY1 via p1p1 interface on port 2400
2. IPTABLES on NY1 has 2 rules, PRE and POST routing that send the packet over to CH1 over the em1 interface, then changes the source IP to NY1:em1
root@ny1> iptables -t nat -A PREROUTING -p tcp --dport 2400 -j DNAT --to-destination 192.168.38.5:2400
root@ny1> iptables -t nat -A POSTROUTING -p tcp -d 192.168.38.5 --dport 2400 -j SNAT --to-source 192.168.37.5
3. IPTABLES on CH1 has 2 rules that route this packet over to p1p1 interface, then changes the source IP to CH1:em1
root@ch1> iptables -t nat -A PREROUTING -p tcp --dport 2400 -j DNAT --to-destination 192.168.38.20:2400
root@ch1> iptables -t nat -A POSTROUTING -p tcp -d 192.168.38.20 --dport 2400 -j SNAT --to-source 192.168.38.5
4. the entire thing hops back to customer back over p1p1, netcat is connected
Use a Hop Server to route packets
Scenario: need to connect to an external server C, port 15176 but cannot connect directly from A. We will use a hop server and redirect packets using 'redir' binary
1. on A, add new iptables OUTPUT rule to forward all port 15176 requests to B
iptables -t nat -A OUTPUT -p tcp --dport 15176 -j DNAT --to-destination <IP of server B>:15176
2. on B, run a new redir listener for port 15176, will forward all requests to C and back via original hops
redir --laddr=192.168.25.1 --lport=15176 --caddr=<IP of server C> --cport 15176 &
Forward all outgoing packets via Hop Server on a specific interface
Scenario: You need to route a connection from Server A to Server C, but you cant connect directly. You can use Server B as a Hop Server, but you also need to use a specific interface on B (p1p1)
You can do this by using a combination of IPTABLES and a routing binary like Redir or Socat
at step 0, you netcat to server C
nc 200.1.2.3 15176
the local iptable OUTPUT rule will forward your request over to B, port 15176 (step 1)
step 2 and 3, iptables PREROUTING drops the packet from em1 inteface to the p1p1 interface
step 4, redir process, redirects the packet to server C (can also do this using socat, or a more fancy iptables rule that Im not familiar with)
step 5, packet goes to C, and then comes back to A following all the steps back
Redirect SSH without using Redir
Server A wants to able to SSH and Rsync to server C, but theres no direct route
can only get there via B
on A, setup OUTPUT to B:<dummy port>
on B, setup Prerouting <dummy> to B:<dummy>
on B, add Postrouting to masquerade dummy port with B's source IP
on C, add Redirect rule to redirect dummy port to its own port 22
If you need to reach an additional unreachable host via 2nd hop host, simply add another DNAT and MASQUERADE rule to the 2nd hop host, ie, A needs to reach D via B, but A doesnt have connectivity to C or D
with rules below, you connection will flow like this
A > B:31201 > C:31201 > D:22