I'm developing a Wireguard-based P2P VPN program.
I'd like to send packets from a port used by another process.
iptables SNAT and MASQUERADE didn't work.
The port :13613 is used by another process.
iptables -A POSTROUTING -p udp -m udp --sport 13614 -j SNAT --to-source :13613
I sent a packet from :13614, but got an error like
[::]:13614->XXX.XXX.XXX.XXX:44614: sendto: operation not permitted
How can I send packets from :13613.
Related
I have a openVPN server setup on a AWS instance and I would like to use it to route traffic from my home client (client1, 192.168.0.0/24) to a client(client2, 10.81.0.0/16) on a machine on a second network through the openVPN server. I want to route the connections from client1 to client2's network so that I can connect to several devices in client2's network. However I dont have control over the gateway in client2's network so I can't add a route back to the vpn.
As far as I can tell I have the openVPN configuration setup in that once client1 and client2 are connected I can access client2 from client1, the routes are also setup so that if I ping a machine on client2's network the traffic is routed through the vpn but no response happens as client2's network devices do not know how to route the vpn ips back to client2.
I am assuming that I need to setup nat masqurading at client2 but I am unsure how to properly handle this as I am not that familiar with iptables.
tried on client2:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
route 10.81.0.0 255.255.0.0
push "route 10.81.0.0 255.255.0.0"
dh none
ecdh-curve prime256v1
... encryption info ...
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
ccd/client2
iroute 10.81.0.0 255.255.0.0
For anyone with a similar issue, I found this https://arashmilani.com/post?id=53 that helped me solve the issue.
For me I needed to add the following instead of what I tried.
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno2 -j MASQUERADE
tun0 is the tunnel interface from the VPN and eno2 is the interface for client2's network. 10.8.0.0/24 is the default subnet for the VPN subnet.
The forwarding was the big issue, also the masquerade is based on the ip address range of the VPN on the output interface.
I would like to point the connection to my A server 25565 port to another 30000 port of B server. But I need to access the ip address of the user who sent me a connection request from B server.
I have no idea how to do it. I've directed the traffic using the proxy logic in Java, but the performance is bad.
Is there another alternative way I can use it?
iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination myAnotherServerIP:30000
iptables -t nat -A POSTROUTING -j MASQUERADE
I did by adding this iptables rules. But I can't reach the IP address where the request came from. (Source IP Adress)
I don't have to do it that iptables rules. Any alternative would be a useful system or path.
There are several options to achieve that. For example:
HA-proxy
nginx TCP proxy
Both are build for high throughput and low latency and both can be configure to provide decent access information.
I have a service listening to customer traffic on ports 80 and 443 of eth1. The servers hosting my service also host other admin/privileged access content on eth0 and localhost
I am trying to setup iptable rules to lock down eth1 on servers which is on same network as clients (block things like ssh through eth1/ accessing internal services running on port 9904 etc.) I also want to make sure that the rules dont forbid regular access to eth1:80 and eth1:443. I have come up with below rules but wanted to review with iptable gurus on possible issues with this rule.
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -j DROP
Do the rules above suffice
How does above differ from the rules found when googling
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A INPUT -i eth1 -p tcp -j ACCEPT
-A INPUT -i eth1 -j DROP
thanks i got this answered in https://serverfault.com/questions/834534/iptable-rules-to-restrict-eth1-access-to-ports-80-and-443 , adding it here for completeness
The first set of rules first allow all incoming packets on your ports
80 and 443. Then it drops ALL other incoming packets (except those
already accepted).
The second set of rules first allow all incoming packets on ports 80
and 443. Then it drops incoming connections (excluding 80 and 443 that
are already accepted), which are packets with only the SYN flag set.
Then it allows all incoming packets.
The difference here is what happens to your OUTGOING connections. In
the first ruleset, if you attempt to connect to another server, any
packets that server sends in response will be dropped so you will
never receive any data. In the second case, those packets will be
allowed since the first packet from the remote server will have both
SYN and ACK set and therefore pass the SYN test, and any following
packets will not have SYN set at all, and therefore pass the test.
This has been traditionally done using conntrack which requires the
kernel to keep track of every connection in the firewall, with a
command like
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
that matches the incoming packet either to an existing connection, or
a connection related to some other existing connection (eg FTP data
connections). If you aren't using FTP or other protocols that use
multiple random ports, then the second ruleset achieves basically the
same result without the overhead of tracking and inspecting these
connections.
my server has 5 IPs (192.168.0.23, 192.168.0.12, 192.168.0.13, 192.168.0.14 and 192.168.0.15).
The IP 192.168.0.23 is real and the others are virtual.
I´d like to block all ports in 192.168.0.12 except port 53 (udp and tcp).
All computers from my network can access all ips from this server but through ip 192.168.0.12 they can access only the port 53 (udp and tcp).
How can use iptables to block all ports in 192.168.0.12 except port 53 udp and tcp?
Thank you.
you should consider in what chain the rule must be added(INPUT/OUTPUT/FORWARD)
but something like this does so:
iptables -A INPUT -p tcp -d 192.168.0.12 -m tcp ! --dport 53 -j DROP
iptables -A INPUT -p udp -d 192.168.0.12 -m udp ! --dport 53 -j DROP
I have been trying to deploy a home-made server. My network consists of a router (Comtrend brand) and 2 pcs (A server laptop connected to eh0 and a netbook connected to WiFi).
The problem is that everytime I try to access to my external public IP I'm redirected to my routers internet address (192.168.1.1).
But if I access with directly with 192.168.1.132 I can see all my services published and use all the protocols. (http, ssh, etc).
What could I do? Is it a problem in the server configuration?
Configuration:
My server's ip is always 192.168.1.132
My laptop receives diferent internal ips but this is not important
My router has a dynamic ip. Let's say X.X.X.X.
Things I've already tried:
1.
I have opened ports in my router. Right now I have:
http 80 80 TCP 80 80 **192.168.1.132** ppp0.1
ssh 22 22 TCP 22 22 192.168.1.132 ppp0.1
2.
I tried with IPTABLES by adding the two next rules:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 192.168.1.132:80
iptables -A FORWARD -p tcp -i eth0 -d 192.168.1.132 --dport 80 -j ACCEPT
Then:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
You may need to change the router's http management port to some port other than port 80 (like, port 8080 for example), in order to get the port forwarding to work, so that it forwards http requests on port 80 to your server at 192.168.1.132.