Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables conditional masquerade
Top Forums UNIX for Dummies Questions & Answers iptables conditional masquerade Post 302971440 by chebarbudo on Wednesday 20th of April 2016 07:50:04 AM
Old 04-20-2016
iptables conditional masquerade
Hi everyone,

I have a LAN with :
  • 1 internet box (192.168.1.1)
  • 1 Debian host (192.168.1.224)
  • 3 Windows hosts (192.168.1.32/33/34)
The internet box is set to route all incoming traffic to the Debian host (DMZ).

Then the Debian host is set to accept certain packets and forward others to the windows hosts. It's all based on the port number:
  • port 22 accepted
  • port 80 accepted
  • port 59032 forwarded to 192.168.1.32:5900
  • port 59033 forwarded to 192.168.1.33:5900
  • port 59034 forwarded to 192.168.1.34:5900
That allows me to ssh and web into my Debian host and to vnc into my Windows host from the outside world.

This is done by using iptables with the following rules:
Code:
iptables -t filter -A INPUT -i eth0 -p $tcp --dport 22 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -p $tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 59032 -j DNAT --to 192.168.1.32:5900
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 59033 -j DNAT --to 192.168.1.33:5900
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 59034 -j DNAT --to 192.168.1.34:5900

The Debian host is happy receiving connections from the outside world.
But VNC on Windows would block packets if they are not from 192.168.1.0/24.
I could remove that restriction on the Windows host but NO, that's not what I want to do. So I'm using one more rule for iptables:
Code:
iptables -t nat -A POSTROUTING -j MASQUERADE

That way, the Windows host believe that the VNC connection is comming from the local server.

For future improvement reasons, I would rather masquerade only certain packets. So my idea is to do something in the nat.PREROUTING chain so that the nat.POSTROUTING chain will be able to tell whether a packet should be masqueraded or not.

Is there a way to achieve that or any workaround?

Thanks for your help.

Santiago
 

9 More Discussions You Might Find Interesting

1. IP Networking

Ftp'ing thru a Iptables NAT Masquerade

Greetings to all. My new firewall is giving me one hell of a problem. I'm running iptables and masquerading my intranet thru NAT. But here is the problem. Whenever I try to FTP to a server outside of my lan I get a 500 illegal port error. I've come to the conclusion that NAT is... (2 Replies)
Discussion started by: phrater
2 Replies

2. UNIX for Advanced & Expert Users

sendmail/mail masquerade problem

I have a SCO 5.06 box running sendmail 8.11. I have set up sendmail to masquerade the domainname as bar.com. ie in the sendmail.cf file the directive DMbar.com is set. When I send mail using mail/mailx, it appends the local hostname "foo" to the masquerade address and inserts this into... (1 Reply)
Discussion started by: m.szylkarski
1 Replies

3. OS X (Apple)

Ho do I masquerade the "user@user.local" address in mail/mailx?

Hi, I'm brand new here and looking for a solution: I'm using mail or mailx. The default reply address is «myshortusername@mylongusername.local» which makes absolutely no sense for anybody receiving my emails. But how do I change it? There seem to be many solutions but none for Mac OS X.... (0 Replies)
Discussion started by: gczychi
0 Replies

4. IP Networking

iptables: log connection after SNAT/MASQUERADE command

Hello! I have the following problem with iptables in Debian 6: My server works as a router and it needs to log server external IP+port for all outgoing connections. But after command SNAT or MASQUERADE traffic is "lost". I mean no following rules can catch those traffic. Everything looks... (0 Replies)
Discussion started by: unlimited
0 Replies

5. UNIX for Dummies Questions & Answers

Sendmail masquerade

Hi, Please tell me what is sendmail masquarade and what is the use of it? Its pretty confusing :eek:.. Is it all about like when mail is sent from sender to receiver, the receiver cannot see the hostname/internal username of sender.. And I found they constitute various classes like class... (0 Replies)
Discussion started by: Priya Amaresh
0 Replies

6. AIX

Sendmail masquerade

I'm trying to configure sendmail masquerading and it seems like I'm having a problem with m4. My main problem is that internally generated emails are showing up externally as originating from: internal_user@internal1.mydomain.com. internal1.mydomain.com doesn't resolve publicly, nor should it.... (1 Reply)
Discussion started by: aix_user1
1 Replies

7. IP Networking

iptables nat/masquerade - how to act as a basic firewall?

edit: SOLVED - see below for solution Hi there, I've inherited a gob of Linux hosts and so am learning linux from the bottom of the deep end of the pool (gotta say I'm warming up to Linux though - it's not half bad) Right now iptables is confusing me and I could use some pointers as to how... (0 Replies)
Discussion started by: Smiling Dragon
0 Replies

8. UNIX for Dummies Questions & Answers

Nullmailer masquerade domain

I am using nullmailer on Ubuntu Linux to relay mails however when I send email or through cron it appear as root@myhostname.domain.com instead of root@domain.com How do I configure nullmailer so the email send appear as from root@domain.com? (0 Replies)
Discussion started by: hassan1
0 Replies

9. UNIX for Beginners Questions & Answers

iptables : How to apply masquerade while pinging from DUT to outside network

My Device is connected to eth1 interface of the host and eth0 is connected to network. Now when I am pinging google.com from device after executing below commands on host sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I am... (0 Replies)
Discussion started by: slathigara
0 Replies

LEARN ABOUT DEBIAN

pptpd.conf

PPTPD.CONF(5)							File Formats Manual						     PPTPD.CONF(5)

NAME

       pptpd.conf - PPTP VPN daemon configuration

DESCRIPTION

       pptpd(8)  reads options from this file, usually /etc/pptpd.conf.  Most options can be overridden by the command line.  The local and remote
       IP addresses for clients must come from the configuration file or from pppd(8) configuration files.

OPTIONS

       option option-file
	      the name of an option file to be passed to pppd(8) in place of the default /etc/ppp/options so that PPTP	specific  options  can	be
	      given.  Equivalent to the command line --option option.

       stimeout seconds
	      number of seconds to wait for a PPTP packet before forking the pptpctrl(8) program to handle the client.	The default is 10 seconds.
	      This is a denial of service protection feature.  Equivalent to the command line --stimeout option.

       debug  turns on debugging mode, sending debugging information to syslog(3).  Has no effect on pppd(8) debugging.  Equivalent to the command
	      line --debug option.

       bcrelay internal-interface
	      turns on broadcast relay mode, sending all broadcasts received on the server's internal interface to the clients.  Equivalent to the
	      command line --bcrelay option.

       connections n
	      limits the number of client connections that may be accepted.  If pptpd is allocating IP addresses (e.g.	delegate is not used) then
	      the number of connections is also limited by the remoteip option.  The default is 100.

       delegate
	      delegates the allocation of client IP addresses to pppd(8).  Without this option, which is the default, pptpd manages the list of IP
	      addresses for clients and passes the next free address to pppd.  With this option, pptpd does not pass an address, and so  pppd  may
	      use radius or chap-secrets to allocate an address.

       localip ip-specification
	      one  or  many IP addresses to be used at the local end of the tunnelled PPP links between the server and the client.  If one address
	      only is given, this address is used for all clients.  Otherwise, one address per client must be given, and  if  there  are  no  free
	      addresses then any new clients will be refused.  localip will be ignored if the delegate option is used.

       remoteip ip-specification
	      a  list  of  IP addresses to assign to remote PPTP clients. Each connected client must have a different address, so there must be at
	      least as many addresses as you have simultaneous clients, and preferably some spare, since  you  cannot  change  this  list  without
	      restarting  pptpd. A warning will be sent to syslog(3) when the IP address pool is exhausted.  remoteip will be ignored if the dele-
	      gate option is used.

       noipparam
	      by default, the original client IP address is given to ip-up scripts using the pppd(8) option ipparam.  The  noipparam  option  pre-
	      vents this.  Equivalent to the command line --noipparam option.

       listen ip-address
	      the  local  interface IP address to listen on for incoming PPTP connections (TCP port 1723). Equivalent to the command line --listen
	      option.

       pidfile pid-file
	      specifies an alternate location to store the process ID file (default /var/run/pptpd.pid).  Equivalent to the command line --pidfile
	      option.

       speed speed
	      specifies  a  speed  (in bits per second) to pass to the PPP daemon as the interface speed for the tty/pty pair.	This is ignored by
	      some PPP daemons, such as Linux's pppd(8).  The default is 115200 bytes per second, which some implementations interpret as  meaning
	      "no limit".  Equivalent to the command line --speed option.

NOTES

       An  ip-specification above (for the localip and remoteip tags) may be a list of IP addresses (for example 192.168.0.2,192.168.0.3), a range
       (for example 192.168.0.1-254 or 192.168.0-255.2) or some combination (for example 192.168.0.2,192.168.0.5-8).  For some valid  pairs  might
       be (depending on use of the VPN):

       localip 192.168.0.1
       remoteip 192.168.0.2-254

       or

       localip 192.168.1.2-254
       remoteip 192.168.0.2-254

ROUTING CHECKLIST - PROXYARP
       Allocate a section of your LAN addresses for use by clients.

       In  /etc/ppp/options.pptpd.   set  the proxyarp option.	In pptpd.conf do not set localip option, but set remoteip to the allocated address
       range.  Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).

       The server will advertise the clients to the LAN using ARP, providing it's own ethernet address.  bcrelay(8) should not be required.

ROUTING CHECKLIST - FORWARDING
       Allocate a subnet for the clients that is routable from your LAN, but is not part of your LAN.

       In pptpd.conf set localip to a single address or range in the allocated subnet, set remoteip to a range in the  allocated  subnet.   Enable
       kernel  forwarding  of  packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).  The LAN must have a route to the clients using the server as
       gateway.

       The server will forward the packets unchanged between the clients and the LAN.  bcrelay(8) will be required to support broadcast  protocols
       such as NETBIOS.

ROUTING CHECKLIST - MASQUERADE
       Allocate a subnet for the clients that is not routable from your LAN, and not otherwise routable from the server (e.g. 10.0.0.0/24).

       Set  localip  to  a  single address in the subnet (e.g. 10.0.0.1), set remoteip to a range for the rest of the subnet, (e.g. 10.0.0.2-200).
       Enable kernel forwarding of packets, (e.g. using /proc/sys/net/ipv4/ip_forward ).  Enable masquerading on eth0 (e.g.  iptables  -t  nat	-A
       POSTROUTING -o eth0 -j MASQUERADE ).

       The  server  will  translate  the packets between the clients and the LAN.  The clients will appear to the LAN as having the address corre-
       sponding to the server.	The LAN need not have an explicit route to the clients.  bcrelay(8) will be required to support  broadcast  proto-
       cols such as NETBIOS.

FIREWALL RULES

       pptpd(8)  accepts  control connections on TCP port 1723, and then uses GRE (protocol 47) to exchange data packets.  Add these rules to your
       iptables(8) configuration, or use them as the basis for your own rules:

       iptables --append INPUT --protocol 47 --jump ACCEPT
       iptables --append INPUT --protocol tcp --match tcp 
		--destination-port 1723 --jump ACCEPT

SEE ALSO

       pppd(8), pptpd(8), pptpd.conf(5).

								 29 December 2005						     PPTPD.CONF(5)
All times are GMT -4. The time now is 06:53 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy