Answer the question
In order to leave comments, you need to log in
S
S
Sergey2017-11-02 15:12:52
Sergey, 2017-11-02 15:12:52
iptables settings for transit to another server?
Good day.
There are two wheelbarrows with debian and WS. IIS is installed on WS with a bunch of sites, they all look at the Internet now, you need to hide them behind a wheelbarrow with debian.
Debian car has two network interfaces:
eth0 22.22.22.22 - Internet
eth1 192.168.1.100 -
WS locale:
eth0 33.33.33.33
eth1 192.168.1.200
Local is shared, each other's cars ping on local.
I do like this:
iptables -F
iptables -t nat -F
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 9090 -j ACCEPT # хочу через этот порт пустить трафик
#Пакеты с нужного адреса заворачиваем на компьютер
iptables -t nat -A PREROUTING -s 22.22.22.22 --sport 8172 -i eth0 -j DNAT --to-destination 196.168.1.200 --dport 9090
#Разрешаем эти пакеты
iptables -t filter -A FORWARD -s 22.22.22.22 -d 192.168.1.200 -j ACCEPT
#Получаем интернет в локалке
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 22.22.22.22
#Прописываем путь пакета с debian до WS
iptables -t nat -A POSTROUTING -d 192.168.1.200 --sport 9090 -s 192.168.1.0/24 -j SNAT --to-source 192.168.1.100 --dport 9090
#Меняем адрес источника на поддельный
iptables -t nat -A POSTROUTING -s 22.22.22.22 -j SNAT --to-source 192.168.1.150
#Добавляем новый адрес роутеру XX - любое незанятое в локалке число
ip addr add 192.168.1.150/24 dev eth1
#где .150 - не занятый локальный адрес
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROPBut something is going wrong.
If I retyped the text in order to think it over again, there may be typos, but it does not give errors when executing the script.
2 answer(s)
@kRosis
The INPUT chain does not affect the passing traffic, you can delete the rule for 9090 from there.
If Debian has .100, then I don't see any reason to give it any more.
@kRosis
for some reason, nginx did not want to work if you just write listen 80; or listen 443 ssl;
but it worked listen ip-deb:80; and listen ip-deb:443 ssl;
K
krosh, 2017-11-03 @kRosis
Something you mess with the rules. To forward a port to the local network, you need three rules in chains: PREROUTING, POSTROUTING and FORWARD.
Try to clean everything and use these:
#Пакеты с нужного адреса заворачиваем на компьютер
iptables -t nat -A PREROUTING -d 22.22.22.22 --dport 9090 -i eth0 -j DNAT --to-destination 196.168.1.200:9090
#Получаем интернет в локалке - это не обязательно, если инет через другой шлюз
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 22.22.22.22
#Меняем адрес источника на локальный
iptables -t nat -A POSTROUTING -d 196.168.1.200 -p tcp -m tcp --dport 9090 -j SNAT --to-source 196.168.1.100
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "ALLOW Установленные соединения" -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --dport 9090 -m comment --comment "ALLOW LAN all 9090" -j ACCEPTThe INPUT chain does not affect the passing traffic, you can delete the rule for 9090 from there.
If Debian has .100, then I don't see any reason to give it any more.
S
Sergey, 2017-11-08 @kRosis
Who cares, the final config I have is this:
# Пакеты с нужного адреса заворачиваем на компьютер
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 9090 -d $ip-deb -i eth0 \
-j DNAT --to-destination $local-ip-ws:9090
# Меняем адрес источника на локальный, не использую т.к. я так понял это надо для общения компьютеров внутри сети через внешний сервер, а оно мне не надо.
#/sbin/iptables -t nat -A POSTROUTING -d $local-ip-ws -p tcp \
#-m tcp -j SNAT --to-source $local-ip-deb
# Разрешаем соединение для новых, прошедших проверку, пакетов
/sbin/iptables -A FORWARD -p tcp -m conntrack --ctstate NEW \
-m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
/sbin/iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Разрешаем прохождение пакетов для порта через FORWARD
/sbin/iptables -A FORWARD -p tcp -m tcp --dport 9090 -j ACCEPTfor some reason, nginx did not want to work if you just write listen 80; or listen 443 ssl;
but it worked listen ip-deb:80; and listen ip-deb:443 ssl;
Similar questions
T
D
S
G
N
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question