Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 12 of 12
OK so after a lot of head scratching i found the above code to work, but not correctly. Primarily the forwarding of HTTP and DNS from each subnet doesnt work, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    May 2013
    Posts
    7

    OK so after a lot of head scratching i found the above code to work, but not correctly. Primarily the forwarding of HTTP and DNS from each subnet doesnt work, i assume because NAT is rewriting the source address so the response to either DNS or HTTP request never reaches the client that made it.

    That being said, i re-wrote the script for easier legibility and debugging, so if people could please review this v2 script and let me know what you think

    Again, eth0 is the internet facing nic, eth1 and eth2 are subnets with a client on each (192.168.0.2 and 192.168.100.2 respectively) and the DNS server is outside the network.

    Code:
    #! /bin/bash
    
    ## do the clean up dance
    iptables -F
    iptables -t nat -F
    
    ## connection forwarding so we can SSH to clients
    iptables -t nat -A PREROUTING -p tcp --dport 50001 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination 192.168.0.2
    iptables -t nat -A PREROUTING -p tcp --dport 50002 -m conntrack --ctstate NEW,ESTABLISHED -j DNAT --to-destination 192.168.100.2
    
    ## turn on NAT
    iptables -t nat -A POSTROUTING -o eth0 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j MASQUERADE
    
    ## allow localhost traffic
    iptables -A INPUT -i lo -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    
    ## allow return traffic on connections the firewall makes
    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    ## allow SSH inbound
    iptables -A INPUT -p tcp --dport 50000 -m conntrack --ctstate NEW -j ACCEPT
    
    ## log and drop everything else
    iptables -A INPUT -m conntrack --ctstate NEW,INVALID -j LOG
    iptables -A INPUT -m conntrack --ctstate NEW,INVALID -j REJECT
    
    ## allow connections from each subnet not destined for the firewall
    iptables -A FORWARD -i eth1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    
    ## allow remote SSH to each subnet
    iptables -A FORWARD -i eth0 -p tcp -m multiport --dport 50001,50002 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    
    ## allow return traffic on connections the clients make
    iptables -A FORWARD -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    ## log and drop everything else
    iptables -A FORWARD -m conntrack --ctstate NEW,INVALID -j LOG
    iptables -A FORWARD -m conntrack --ctstate NEW,INVALID -j REJECT
    
    ## be permissive as hell with outbound traffic
    iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

  2. #12
    Just Joined!
    Join Date
    May 2013
    Posts
    7
    Ok, SOLVED, i found the problem was with the attempt at redirecting DNS queries via iptables. DNS should be dealt with by manually configuring it on the workstation or via dhcp it seems. Trying to juggle dns traffic via the gateway is like trying to fix your bicycle by building a plane, from what i gather.

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •