Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 12 of 12
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11

    OK so after a lot of head scratching i found the above code to work, but not correctly. Primarily the forwarding of HTTP and DNS from each subnet doesnt work, i assume because NAT is rewriting the source address so the response to either DNS or HTTP request never reaches the client that made it.

    That being said, i re-wrote the script for easier legibility and debugging, so if people could please review this v2 script and let me know what you think

    Again, eth0 is the internet facing nic, eth1 and eth2 are subnets with a client on each ( and respectively) and the DNS server is outside the network.

    #! /bin/bash
    ## do the clean up dance
    iptables -F
    iptables -t nat -F
    ## connection forwarding so we can SSH to clients
    iptables -t nat -A PREROUTING -p tcp --dport 50001 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination
    iptables -t nat -A PREROUTING -p tcp --dport 50002 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination
    ## turn on NAT
    iptables -t nat -A POSTROUTING -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j MASQUERADE
    ## allow localhost traffic
    iptables -A INPUT -i lo -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    ## allow return traffic on connections the firewall makes
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    ## allow SSH inbound
    iptables -A INPUT -p tcp --dport 50000 -m conntrack --ctstate NEW -j ACCEPT
    ## log and drop everything else
    iptables -A INPUT -m conntrack --ctstate NEW,INVALID -j LOG
    iptables -A INPUT -m conntrack --ctstate NEW,INVALID -j REJECT
    ## allow connections from each subnet not destined for the firewall
    iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    ## allow remote SSH to each subnet
    iptables -A FORWARD -i eth0 -p tcp -m multiport --dport 50001,50002 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    ## allow return traffic on connections the clients make
    iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    ## log and drop everything else
    iptables -A FORWARD -m conntrack --ctstate NEW,INVALID -j LOG
    iptables -A FORWARD -m conntrack --ctstate NEW,INVALID -j REJECT
    ## be permissive as hell with outbound traffic
    iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

  2. #12
    Ok, SOLVED, i found the problem was with the attempt at redirecting DNS queries via iptables. DNS should be dealt with by manually configuring it on the workstation or via dhcp it seems. Trying to juggle dns traffic via the gateway is like trying to fix your bicycle by building a plane, from what i gather.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts