Iptables Basics

IPTABLES Basics

install and start iptables

yum install iptables-servicessystemctl start iptables

enable ipv4 forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Basic Commands

delete existing NAT rule (get line number from above)

iptables -t nat -D POSTROUTING <line number>

check existing NAT routing rules

iptables -t nat -v -L POSTROUTING --line-number

restore rules from a file

iptables-restore < /tmp/iptables.bkup

save all current rules to a file

iptables-save > /tmp/iptables.bkup

check NAT rules

iptables -t nat -L -n

check current forwarding rules

iptables -L -n

add Debug log to prerouting rule #3 (tail syslog)

iptables -t nat -I PREROUTING 3 -j LOG

block port

iptables -A OUTPUT -p tcp --dport 2500 -j DROP

allow a port

iptables -A INPUT -p tcp --dport 2500 -j ACCEPT

block an IP address

iptables -A INPUT -s 192.130.2.4 -j DROP

block range of IPs

iptables -A INPUT -s 192.168.2.0/24 -j DROP

allow IP address

iptables -D INPUT -s 192.130.2.4 -j DROP

Forward a Port to another server

- we have 2 servers, A and B
- want to connect to port 8331 on A (but service is running on B)
- forwarding a request to A:8331 > B:8331
- connecting from external server C

add a rule to forward from server A (1.1.1.1) to server B (2.2.2.2), port 8331

A> sudo iptables -t nat -A PREROUTING -p tcp --dport 8331 -j DNAT --to-destination 2.2.2.2:8331

now add a rule to change the packet's SOURCE IP to be that of server A instead of external server C (original packet source IP is that of C)

A> sudo iptables -t nat -A POSTROUTING -p tcp -d 2.2.2.2 --dport 8331 -j SNAT --to-source 1.1.1.1

now netcat to server A from external server C

C > netcat A 8331 -v

Connected!

Connect to service via backbone interface

- This approach is used when you have 2 servers, need to connect to an interface on 2nd server that you can't hit from your 1st server. The method is to use a common interface that can talk to 2nd server, as a backbone to route all packets and drop them off at appropriate interfaces
- both servers have a common management interface em1 (they can talk to each other over em1, same gateway)
- both have a Solarflare interface p1p1 (different gateways so cant talk to each other)
- service is running on CH1 server, port 2400 (on p1p1 interface)
- customer is connecting via NY1 p1p1 interface
- need to route connection via NY1 > p1p1 > em1 > CH1 > em1 > p1p1 > back to customer
- visual flow,

1. customer is connecting to NY1 via p1p1 interface on port 2400

2. IPTABLES on NY1 has 2 rules, PRE and POST routing that send the packet over to CH1 over the em1 interface, then changes the source IP to NY1:em1

root@ny1> iptables -t nat -A PREROUTING -p tcp --dport 2400 -j DNAT --to-destination 192.168.38.5:2400

root@ny1> iptables -t nat -A POSTROUTING -p tcp -d 192.168.38.5 --dport 2400 -j SNAT --to-source 192.168.37.5

3. IPTABLES on CH1 has 2 rules that route this packet over to p1p1 interface, then changes the source IP to CH1:em1

root@ch1> iptables -t nat -A PREROUTING -p tcp --dport 2400 -j DNAT --to-destination 192.168.38.20:2400

root@ch1> iptables -t nat -A POSTROUTING -p tcp -d 192.168.38.20 --dport 2400 -j SNAT --to-source 192.168.38.5

4. the entire thing hops back to customer back over p1p1, netcat is connected

Use a Hop Server to route packets

Scenario: need to connect to an external server C, port 15176 but cannot connect directly from A. We will use a hop server and redirect packets using 'redir' binary

1. on A, add new iptables OUTPUT rule to forward all port 15176 requests to B

iptables -t nat -A OUTPUT -p tcp --dport 15176 -j DNAT --to-destination <IP of server B>:15176

2. on B, run a new redir listener for port 15176, will forward all requests to C and back via original hops

redir --laddr=192.168.25.1 --lport=15176 --caddr=<IP of server C> --cport 15176 &

Forward all outgoing packets via Hop Server on a specific interface

Scenario: You need to route a connection from Server A to Server C, but you cant connect directly. You can use Server B as a Hop Server, but you also need to use a specific interface on B (p1p1)

You can do this by using a combination of IPTABLES and a routing binary like Redir or Socat

1. at step 0, you netcat to server C
2. nc 200.1.2.3 15176
3. the local iptable OUTPUT rule will forward your request over to B, port 15176 (step 1)
4. step 2 and 3, iptables PREROUTING drops the packet from em1 inteface to the p1p1 interface
5. step 4, redir process, redirects the packet to server C (can also do this using socat, or a more fancy iptables rule that Im not familiar with)
6. step 5, packet goes to C, and then comes back to A following all the steps back

Redirect SSH without using Redir

Server A wants to able to SSH and Rsync to server C, but theres no direct route

can only get there via B

on A, setup OUTPUT to B:<dummy port>

on B, setup Prerouting <dummy> to B:<dummy>
on B, add Postrouting to masquerade dummy port with B's source IP

on C, add Redirect rule to redirect dummy port to its own port 22

If you need to reach an additional unreachable host via 2nd hop host, simply add another DNAT and MASQUERADE rule to the 2nd hop host, ie, A needs to reach D via B, but A doesnt have connectivity to C or D

with rules below, you connection will flow like this

A > B:31201 > C:31201 > D:22