I have a VPC on GCP with a bastion host that has a public IP.
I am trying to connect from my local machine which is behind a firewall to an instance on a specific port behind the bastion server.
SSH works via bastion, ports are open between instances of GCP within the VPC.
I am trying to create port forwarding from my local machine to bastion to zookeeper on port 2181.
I have setup Ip tables however i just lose the packets somewhere on the way if doing a tcptraceroute.
Scenario is as follows:
Local machine -> Firewall -> Bastion -> Zookeeper
SSH connection from Local machine to Zookeeper(192.168.80.11) works (via Bastion)
My Configuration is as follows:
sudo iptables -t nat -A PREROUTING -p tcp --dport 2181 -j DNAT --to-destination 192.168.80.11:2181
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
Its just not work, what am i doing wrong?
My Ip tables have some weird entries tho:
:OUTPUT ACCEPT [83590:46593196]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*raw
:PREROUTING ACCEPT [130202:45658294]
:OUTPUT ACCEPT [83590:46593196]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*mangle
:PREROUTING ACCEPT [130202:45658294]
:INPUT ACCEPT [130201:45657860]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83590:46593196]
:POSTROUTING ACCEPT [83593:46593358]
COMMIT
# Completed on Mon May 11 09:33:24 2020
# Generated by xtables-save v1.8.2 on Mon May 11 09:33:24 2020
*nat
:PREROUTING ACCEPT [234:14414]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 2181 -j DNAT --to-destination 192.168.80.11:2181
:INPUT ACCEPT [233:13980]
:POSTROUTING ACCEPT [126:8408]
:OUTPUT ACCEPT [126:8408]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Mon May 11 09:33:24 2020
Related
I'm developing a Wireguard-based P2P VPN program.
I'd like to send packets from a port used by another process.
iptables SNAT and MASQUERADE didn't work.
The port :13613 is used by another process.
iptables -A POSTROUTING -p udp -m udp --sport 13614 -j SNAT --to-source :13613
I sent a packet from :13614, but got an error like
[::]:13614->XXX.XXX.XXX.XXX:44614: sendto: operation not permitted
How can I send packets from :13613.
I have a openVPN server setup on a AWS instance and I would like to use it to route traffic from my home client (client1, 192.168.0.0/24) to a client(client2, 10.81.0.0/16) on a machine on a second network through the openVPN server. I want to route the connections from client1 to client2's network so that I can connect to several devices in client2's network. However I dont have control over the gateway in client2's network so I can't add a route back to the vpn.
As far as I can tell I have the openVPN configuration setup in that once client1 and client2 are connected I can access client2 from client1, the routes are also setup so that if I ping a machine on client2's network the traffic is routed through the vpn but no response happens as client2's network devices do not know how to route the vpn ips back to client2.
I am assuming that I need to setup nat masqurading at client2 but I am unsure how to properly handle this as I am not that familiar with iptables.
tried on client2:
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
server.conf
port 1194
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
route 10.81.0.0 255.255.0.0
push "route 10.81.0.0 255.255.0.0"
dh none
ecdh-curve prime256v1
... encryption info ...
client-config-dir /etc/openvpn/ccd
status /var/log/openvpn/status.log
verb 3
ccd/client2
iroute 10.81.0.0 255.255.0.0
For anyone with a similar issue, I found this https://arashmilani.com/post?id=53 that helped me solve the issue.
For me I needed to add the following instead of what I tried.
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eno2 -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eno2 -j MASQUERADE
tun0 is the tunnel interface from the VPN and eno2 is the interface for client2's network. 10.8.0.0/24 is the default subnet for the VPN subnet.
The forwarding was the big issue, also the masquerade is based on the ip address range of the VPN on the output interface.
I have 3 node architecture of openstack juno setup.
Everything working fine on controller and compute. VM getting created and all.
But seems my Network node and Compute node have some issue over data network as VM is not taking IP from DHCP. Also when i checked and assigned IP to vm manually, it is pinging gateway but qrouter not pinging VM instance.
qrouter is configured correctly and tenant network is attached to it. qrouter is also pinging tenant network default gateway as its only its one of the interface.
Help me guys I am stuck here don't know what to do. Putting some command output for detail:
[root#network ~]# ip netns show
qdhcp-ade4d591-6016-4a11-8e07-6718340d673e
qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d
[root#network ~]# ovs-vsctl show
c6e9b29e-9dac-4e74-a31a-c8cba6a8c977
Bridge br-tun
fail_mode: secure
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
Port "gre-0a00011f"
Interface "gre-0a00011f"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.0.1.21", out_key=flow, remote_ip="10.0.1.31"}
Port br-tun
Interface br-tun
type: internal
Bridge br-int
fail_mode: secure
Port int-br-ex
Interface int-br-ex
type: patch
options: {peer=phy-br-ex}
Port "tap1c21fba3-49"
tag: 1
Interface "tap1c21fba3-49"
type: internal
Port "qr-d8ce18d8-96"
tag: 1
Interface "qr-d8ce18d8-96"
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Port br-int
Interface br-int
type: internal
Bridge br-ex
Port br-ex
Interface br-ex
type: internal
Port phy-br-ex
Interface phy-br-ex
type: patch
options: {peer=int-br-ex}
Port "eth1"
Interface "eth1"
Port "qg-3a032814-ae"
Interface "qg-3a032814-ae"
type: internal
ovs_version: "2.3.1"
[root#network ~]# ip netns exec qrouter-99ed72a2-b69c-41f8-854e-4c6c8448f50d iptables-save
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*filter
:INPUT ACCEPT [9733:4197036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [34:2617]
:neutron-filter-top - [0:0]
:neutron-l3-agent-FORWARD - [0:0]
:neutron-l3-agent-INPUT - [0:0]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-local - [0:0]
-A INPUT -j neutron-l3-agent-INPUT
-A FORWARD -j neutron-filter-top
-A FORWARD -j neutron-l3-agent-FORWARD
-A OUTPUT -j neutron-filter-top
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A neutron-filter-top -j neutron-l3-agent-local
-A neutron-l3-agent-INPUT -d 127.0.0.1/32 -p tcp -m tcp --dport 9697 -j ACCEPT
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*nat
:PREROUTING ACCEPT [7984:630587]
:INPUT ACCEPT [173:20642]
:OUTPUT ACCEPT [16:1201]
:POSTROUTING ACCEPT [12:865]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-POSTROUTING - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
:neutron-l3-agent-float-snat - [0:0]
:neutron-l3-agent-snat - [0:0]
:neutron-postrouting-bottom - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
-A POSTROUTING -j neutron-l3-agent-POSTROUTING
-A POSTROUTING -j neutron-postrouting-bottom
-A neutron-l3-agent-POSTROUTING ! -i qg-3a032814-ae ! -o qg-3a032814-ae -m conntrack ! --ctstate DNAT -j ACCEPT
-A neutron-l3-agent-PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9697
-A neutron-l3-agent-snat -j neutron-l3-agent-float-snat
-A neutron-l3-agent-snat -s 192.168.10.0/24 -j SNAT --to-source 135.249.88.101
-A neutron-postrouting-bottom -j neutron-l3-agent-snat
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
# Generated by iptables-save v1.4.21 on Wed Sep 2 11:16:12 2015
*raw
:PREROUTING ACCEPT [17544:4806981]
:OUTPUT ACCEPT [34:2617]
:neutron-l3-agent-OUTPUT - [0:0]
:neutron-l3-agent-PREROUTING - [0:0]
-A PREROUTING -j neutron-l3-agent-PREROUTING
-A OUTPUT -j neutron-l3-agent-OUTPUT
COMMIT
# Completed on Wed Sep 2 11:16:12 2015
On compute Node
[root#compute1 ~]# ovs-vsctl show
491cdefe-00ef-46ad-b4a8-5b57ac630968
Bridge br-int
fail_mode: secure
Port "qvoc4e1f1c6-dd"
tag: 1
Interface "qvoc4e1f1c6-dd"
Port br-int
Interface br-int
type: internal
Port patch-tun
Interface patch-tun
type: patch
options: {peer=patch-int}
Bridge br-tun
fail_mode: secure
Port br-tun
Interface br-tun
type: internal
Port "gre-0a000115"
Interface "gre-0a000115"
type: gre
options: {df_default="true", in_key=flow, local_ip="10.0.1.31", out_key=flow, remote_ip="10.0.1.21"}
Port patch-int
Interface patch-int
type: patch
options: {peer=patch-tun}
ovs_version: "2.3.1"
Let me know if any other details required.
I got the answer : there is no issue in the configuration and everything is fine. The only problem is that rules on security group :- default.
The default security group rule do not allow you to ping vm from qrouter or qdhcp.
So the solution is that either you have to add another security group for your project with appropriate rules or add rules to default security group.
I have added below two rules for accessibility:
Ingress IPv4 ICMP - 0.0.0.0/0 (CIDR)
Egress IPv4 ICMP - 0.0.0.0/0 (CIDR)
That solve my problem and now I am able to reach VM from qrouter.
my server has 5 IPs (192.168.0.23, 192.168.0.12, 192.168.0.13, 192.168.0.14 and 192.168.0.15).
The IP 192.168.0.23 is real and the others are virtual.
I´d like to block all ports in 192.168.0.12 except port 53 (udp and tcp).
All computers from my network can access all ips from this server but through ip 192.168.0.12 they can access only the port 53 (udp and tcp).
How can use iptables to block all ports in 192.168.0.12 except port 53 udp and tcp?
Thank you.
you should consider in what chain the rule must be added(INPUT/OUTPUT/FORWARD)
but something like this does so:
iptables -A INPUT -p tcp -d 192.168.0.12 -m tcp ! --dport 53 -j DROP
iptables -A INPUT -p udp -d 192.168.0.12 -m udp ! --dport 53 -j DROP
I'm trying to set my Raspberry Pi to a separate box with Wi-Fi access. I would be very happy if I could get a small box which can be access by any device with Wi-Fi capabilities with ssh, vncviewer.
I used the manual (http://raspberry-at-home.com/hotspot-wifi-access-point/) and at the end I got Raspberry Pi Wi-Fi Hotspot.
I can find it, connect ... but that's all. When I'm trying to connect with ssh or vncviewer no results. I can't even ping (it "hangs").
'ip neigh' gives the response REACHABLE.
My goal is to have a Raspberry box which can be the Wi-Fi hotspot and accessable with ssh and vncviewer without any additional network.
If somebody knows how-to reach this dream, help please! Any help will be highly appreciated!
Best regards
Vilis.
Please find below current settings:
interfaces:
auto lo
auto wlan0
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet static
address 192.168.0.100
netmask 255.255.255.0
up iptables-restore < /etc/iptables/ipv4.nat
hostapd.conf
# Basic configuration
interface=wlan0
ssid=VK-wifi
channel=1
#bridge=br0
# WPA and WPA2 configuration
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=<SECRET PASS>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
# Hardware configuration
driver=rtl871xdrv
ieee80211n=1
hw_mode=g
device_name=RTL8192CU
manufacturer=Realtek
iptable rules:
# Generated by iptables-save v1.4.14 on Mon Apr 6 17:04:48 2015
*nat
:PREROUTING ACCEPT [58:4242]
:INPUT ACCEPT [58:4242]
:OUTPUT ACCEPT [85:6230]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Apr 6 17:04:48 2015
# Generated by iptables-save v1.4.14 on Mon Apr 6 17:04:48 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -f -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
COMMIT
# Completed on Mon Apr 6 17:04:48 2015
I succeeded doing what you wanted to do
interfaces
auto lo
iface lo inet loopback
auto eth0
allow-hotplug eth0
iface eth0 inet manual
iface wlan0 inet static
address 10.0.0.1
netmask 255.255.255.0
broadcast 255.0.0.0
hostapd.conf
interface=wlan0
driver=nl80211
ssid=pi
channel=1
Install dnsmasq. It will give IPs to all devices that connect with your pi so you can communicate via ssh.
/etc/dnsmasq.conf
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
no-resolv