Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables in a NAT scenario
Special Forums Cybersecurity iptables in a NAT scenario Post 302808751 by capri_guy84 on Friday 17th of May 2013 12:16:31 PM
Old 05-17-2013
iptables in a NAT scenario
Hi, I am learning IPTables have this question.

My server is behind a firewall that does a PAT & NAT to the LAN address.
Code:
Internet IP: 68.1.1.23
Port: 10022

Server LAN IP: 10.1.1.23
port: 22

Allowed Internet IPs:  131.1.1.23, 132.1.1.23

I want to allow a set of IPs are to be able to SSH & DROP all other traffic. The question where I got confused is my destination address

Packet from computer on Internet:
Code:
Source IP: 131.1.1.23            sourceport:<random>
Destination IP: 68.1.1.23        destinationport: 10022

Packet seen by server behind firewall:
Code:
source IP: 68.1.1.23   sourceport: 2522
destinatation IP: 10.1.1.23   destinationport: 22

Q1) Now, how do I write my IPtables ruleset, if the host is not able to see the actual source of the traffic?

Q2) I also want to block any SSH from within 10.0.0.0/subnet as it will be a colo facility & other servers share LAN addresses.
 

10 More Discussions You Might Find Interesting

1. IP Networking

Ftp'ing thru a Iptables NAT Masquerade

Greetings to all. My new firewall is giving me one hell of a problem. I'm running iptables and masquerading my intranet thru NAT. But here is the problem. Whenever I try to FTP to a server outside of my lan I get a 500 illegal port error. I've come to the conclusion that NAT is... (2 Replies)
Discussion started by: phrater
2 Replies

2. UNIX for Advanced & Expert Users

iptables internal NAT with two public IP

Hello Guys, I have a debian machine that work as a firewall (iptables + squid 2.6) with two physical interfaces: eth0 (public interface) and eth1 (internal interface LAN). I have created an alias eth1:1 in order to have two subnets on same physical interface: cat/etc/network/interfaces auto... (0 Replies)
Discussion started by: sincity2006
0 Replies

3. IP Networking

How to configure Full Cone NAT using iptables ?

Hi Experts; I want to find the right iptables commands combination to address the following need: - NEs are NATed thru the linux box (using iptables) towards the WAN cloud, where the NTP servers are situated. - In order to achieve redundancy, the NTP Servers are in a load balancing cluster... (0 Replies)
Discussion started by: lvl1s7a
0 Replies

4. Debian

Iptables Nat forward port 29070

Hello, the Nat and the forward worked on my debian server up to the reboot of machines. The following rules*: /sbin/iptables -t nat -A PREROUTING -p tcp -i eth2 -d xxx.xxx.xxx.xxx --dport 29070 -j DNAT --to-destination 10.0.1.7:29070 /sbin/iptables -A FORWARD -p tcp -i eth2 -o eth0 -d... (0 Replies)
Discussion started by: titoms
0 Replies

5. IP Networking

iptables NAT prerouting & postrouting

Good morning, I'm a newbie of iptables and as far as I've seen on tutorials on the Internet it seems that both prerouting and postrouting NAT chains are undergone both by a packet that goes from an internal LAN to the Internet and of a one that goes in the opposite direction (from the Internet to... (0 Replies)
Discussion started by: giac85
0 Replies

6. Red Hat

NAT Loopback and iptables

Hello, please can you help and explain me. I have two servers. Both are RHEL6. I use the first one like router and the second one for apache. Router forwards 80 port on the second server and I can open that from the internet (mysite.com, for example). But I can not open mysite.com if i try to... (0 Replies)
Discussion started by: 6765656755
0 Replies

7. IP Networking

Nat and packet limits with iptables

Hi all, I have a following situation: - I want certain source IPs to be natted to a different destination IP and Port. Following is how I am achieving it: /usr/local/sbin/iptables -t nat -A PREROUTING -p tcp -s 192.168.10.12 --dport 1500 -j DNAT --to-destination 192.168.10.20:2000 ... (3 Replies)
Discussion started by: ahmerin
3 Replies

8. IP Networking

Debugging NAT / prerouting issues (iptables)

Hello, Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop). It seems that the problem Android specific, but essentially it comes from the Linux kernel. I already filed a bug report to Google. You can see the details by searching for... (0 Replies)
Discussion started by: Vladislav
0 Replies

9. IP Networking

NAT via iptables - Won't work!!

Hi guys I'm running on debian on a small embedded system. I have a ppp interface that is connected to the internet (and works). My unit also has wifi access point (which works and I can connect to it). I want to allow connections to the wifi to be able to use the internet from ppp0... (1 Reply)
Discussion started by: alirezan1
1 Replies

10. Cybersecurity

Openvpn nat and iptables

good day good people hi first to tell that firewall and vpn is working as expected, but I notice something strange. I have host system 11.11.11.11(local ip) firewall is blocking everything except port to vpn. I have vpn on virtualized system 22.22.22.22 (CentOS both host and virtual). ... (0 Replies)
Discussion started by: end
0 Replies

LEARN ABOUT SUSE

irsend

IRSEND(1)								FSF								 IRSEND(1)

NAME

       irsend - basic LIRC program to send infra-red commands

SYNOPSIS

       irsend [options] DIRECTIVE REMOTE CODE [CODE...]

DESCRIPTION

       Asks the lircd daemon to send one or more CIR (Consumer Infra-Red) commands. This is intended for remote control of electronic devices such
       as TV boxes, HiFi sets, etc.

       DIRECTIVE can be:
	  SEND_ONCE	    - send CODE [CODE ...] once
	  SEND_START	    - start repeating CODE
	  SEND_STOP	    - stop repeating CODE
	  LIST		    - list configured remote items
	  SET_TRANSMITTERS  - set transmitters NUM [NUM ...]
	  SIMULATE	    - simulate IR event

       REMOTE is the name of a remote, as described in the lircd configuration file.

       CODE is the name of a remote control key of REMOTE, as it appears in the lircd configuration file.

       NUM is the transmitter number of the hardware device.

       For the LIST DIRECTIVE, REMOTE and/or CODE can be empty:

	  LIST	 ""    ""   - list all configured remote names
	  LIST REMOTE  ""   - list all codes of REMOTE
	  LIST REMOTE CODE  - list only CODE of REMOTE

       The SIMULATE command only works if it has been explicitly enabled in lircd.

       -h --help
	      display usage summary

       -v --version
	      display version

       -d --device
	      use given lircd socket [/var/run/lirc/lircd]

       -a --address=host[:port]
	      connect to lircd at this address

       -# --count=n
	      send command n times

EXAMPLES

	  irsend LIST DenonTuner ""
	  irsend SEND_ONCE  DenonTuner PROG-SCAN
	  irsend SEND_ONCE  OnkyoAmpli VOL-UP VOL-UP VOL-UP VOL-UP
	  irsend SEND_START OnkyoAmpli VOL-DOWN ; sleep 3
	  irsend SEND_STOP  OnkyoAmpli VOL-DOWN
	  irsend SET_TRANSMITTERS 1
	  irsend SET_TRANSMITTERS 1 3 4
	  irsend SIMULATE "0000000000000476 00 OK TECHNISAT_ST3004S"

FILES

       /etc/lirc/lircd.conf
	      Default lircd configuration file.  It should contain all the remotes, their infra-red codes and the corresponding timing	and  wave-
	      form details.

DIAGNOSTICS

       If lircd is not running (or /var/run/lirc/lircd lacks write permissions) irsend aborts with the following diagnostics:
       "irsend: could not connect to socket"
       "irsend: Connection refused" (or "Permission denied").

SEE ALSO

       The documentation for lirc is maintained as html pages. They are located under html/ in the documentation directory.

       lircd(8), mode2(1), smode2(1), xmode2(1), irrecord(1), irw(1), http://www.lirc.org.

irsend 0.8.7pre1						     May 2010								 IRSEND(1)
All times are GMT -4. The time now is 08:12 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy