Iptables question

[Red Squirrel]

I have a linux server with multiple IPs. I want to take 1 IP, and any traffic (or at least, the ports I choose) get redirected to an internal (VMware host only) IP. How would I go about creating this rule?

I'm guessing this is basically a form of nat, just not sure how to write the rule.

So just to clarify:

server's IP ranges: 10.1.1.10-10.1.1.20

Internal server IP: 10.4.4.10 (this IP only accessible from within the server, kinda like localhost)

So any traffic that goes to 10.1.1.11 port 10 is sent to 10.4.4.10 port 10.

Any other traffic to 10.1.1.11 is dropped (which I suppose will happen by default if I don't do anything with it)

How do I go about doing this?

Note that I only want it to happen to traffic going to that one IP, not the other IPs.

 

[FLegman]

Greetings,

Originally posted by: RedSquirrel
I have a linux server with multiple IPs. I want to take 1 IP, and any traffic (or at least, the ports I choose) get redirected to an internal (VMware host only) IP. How would I go about creating this rule?

I'm guessing this is basically a form of nat, just not sure how to write the rule.

So just to clarify:

server's IP ranges: 10.1.1.10-10.1.1.20

Internal server IP: 10.4.4.10 (this IP only accessible from within the server, kinda like localhost)

So any traffic that goes to 10.1.1.11 port 10 is sent to 10.4.4.10 port 10.

Any other traffic to 10.1.1.11 is dropped (which I suppose will happen by default if I don't do anything with it)

How do I go about doing this?

Note that I only want it to happen to traffic going to that one IP, not the other IPs.

By internal server do you mean to say that the VMware is sitting (as a host for future Guests OS) on top of the linux server (Main Host).
If that is the case then you need to either detect the allocated Ip address of the Guest operating system you wish to redirect traffic to; or manually set the Ip address for that particular Guest and then further proceed with the iptables setting.

This is how it would look like :

a) 1 Linux Server (Host) with Ip address range : 10.1.1.10-10.1.1.20
b) 1 VMware (workstation version) with Ip range (created by default) 10.4.4.10-10.4.4.16
c) 1 or more Guest(s) OS running from VMware. Here you will need to know what Ip has been assigned to the Guest. Note that for redirection to work This Ip needs to be in the same Segment as the Linux Server Ip range. You will maybe need to set the Ip manually. Also you will have to go in VMware "Options" and "Nat" or "Network" tab to fine tune the communication between your Linux Server and its Guest machine, by selecting "Bridge", "Nat", "Nat0"...mode. (Sorry i can't remember the exact names as im not sitting in front of my machine".

Hope this will help.

 

[Red Squirrel]

That's basically what I got. I'm just not sure which ip table commands I'd use to achieve this. I got the vmware part already figured out. I already ssh tunnel to some of the ports, I just want others to be nated through the external ip as well.

 

[FLegman]

This might be usefull to you before proceeding further; though your box could be different from the one in the first link of the current post. In case you decide to "scroll" please try Engineer Tim's blog for more detail regarding a step-by-step implementation.

 

[Red Squirrel]

Ok I finally started on this, with no luck. iptables resources online seem to be very sparse when it comes to editing a iptables-restore file, as the commands are different, but I find it so much easier to edit a file then to type random commands then somehow try to reverse them if it does not work as needed.

So far I have this:

-A PREROUTING -p tcp -i eth0 --dport 1000 -j DNAT --to-destination 192.168.49.100:1000

This should forward port 1000 to port 1000 of the 192 address (which is internal)

It just errors out with no explaination. I also need to figure out how to make this apply to only 1 IP (I have multiple IPs on that server)

 

[FLegman]

Vmware installs 2 Virtual Ethernet Adpters with defaults ip's (ex : 192.168.49.1 & 192.168.11.1)
From here on you have 4 ip ranges to deal with : 1 from your Main Host physical card adapter (ex : 192.168.75.15) + 2 from the VmWare Vitual Adapters and 1 from your modem/router (that does the DHCP) (ex : 192.168.75.1)
The Operating Systems installed within the VmWare will be assigned their ip's based on one of the vitual adapters ranges. Lets assume here that you have a web server installed with an assigned ip of 192.168.49.100
By default your Main Host knows only about the pre-allocated virtual ip's, so 192.168.75.15 can positivily ping 192.168.49.1 & 192.168.11.1 but Not your web server on 192.168.49.100. This is like an incoming packet that will be dropped because your webserver did not initiate a request.
In return you can positivily ping your Main Host 192.168.75.15 from your web server at 192.168.49.100. Note here too that your Web server doesn't know about your modem/router 192.168.75.1; this is because it has its own Gateway that you can find with netstat -r.

To sum it up you have a Webserver with its own Gateway and that knows about your Main Host which in return will fail to forward any packet/request that has not been initiated by the server, but thanks to NAT enabled in Vmware everything runs smooth.
If you want to use IPtables, you need to enable NAT for Internal & External Network access.

1st : Configure your Main Host as Gateway base on the tuneling protocole used by your ISP (Here below it is PPPo)
a) If you have a Dynamic Ip : > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
b) For Static Ip : > iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx (Here your stactic Ip)

2nd : Activate the forwarding : > echo 1 > /proc/sys/net/ipv4/ip_forward

3rd : Configure the Webserver Gateway to be the Ip adress of your Main Host 192.168.75.15

4th : Allow exterrnal traffic to your Webserver : > iptables -t nat -p tcp -A PREROUTING -j DNAT --destination-port 80 --to-destination 192.168.49.100:80

----
Hopefully this will help (and sorry for the lenghty stuff)

Please fill free to add more info or correct the above, thanks.

 

[Red Squirrel]

I was aware of all the steps until 4 and did find this command:

iptables -t nat -p tcp -A PREROUTING -j DNAT --destination-port 80 --to-destination 192.168.49.100:80

However the syntax must be different when editing a iptables-restore config file. Is there a place I can find the syntax for that file? I don't really like using commands live on the command line as it's a pain to reverse if I do a mistake and there's no place where the commands are stored. I like t have an actual config file I can look at and add comments etc.

 

[FLegman]

This Shoud get you up and running

 

[Crusty]

Just use a shell script. At the start flush the tables and then below that add all your rules. All you gotta do is edit and then run your script every time you want to update the rules. As long as you don't have anything writing your rules on startup you can always reboot to get back in if you lock yourself out as well. Once you have your script tested and working then you can add it to run on startup.

 

[Red Squirrel]

Hmm was thinking that. My only fear is that iptables --flush will boot me off if the rules are wrong or have a syntax error, but guess that would happen with restore too.

I did the mistake of typing that command on my live server to see if it did what I thought it did. Did not realize it also killed live connections lol. Just tried it on a test server with a test script and looks like it will work. Guess I should have done this from the start, easier to find online resources now as the commands I find will actually be what I need.

 

[Red Squirrel]

Ok this is what I got so far.

iptables -v -t nat -A PREROUTING -p tcp -i eth0 --dport 85 -j DNAT --to-destination 127.0.0.1:110
iptables -v -A FORWARD -p tcp -i eth0 --dport 85 -j ACCEPT
iptables -v -A INPUT -p tcp -i eth0 --dport 85 -j ACCEPT

For now I'm just forwarding to 127.0.0.1 but imagine that being another IP that is accessible only internally.

I also generalized those rules by troubleshooting, but really I want to be able to only make it apply if the connection is going to a certain IP. In this case, this machine has .200 and .202.

I should be able to connect to port 85 and it should bring up dovecot (which is running and will accept connections fine on port 110 which I opened by normal means).

So what did I do wrong with those rules? Is using 127.0.0.1 an issue? Worse comes to worse I can setup another nic with another machine, just for testing.