I have a server (openvpn) which is not multithreaded and hence does not take advantage of the multiple cores in the box. I'm trying to solve the problem by running multiple servers, each on a different port, e.g. 127.0.0.1:8000, 127.0.0.1:8001, ... then load balancing the exterior 1194 port based on the source IP -- openvpn uses UDP but all packets for a client must arrive at the same server.
Issue I'm running into is how to load balance. I tried IPVS, but it seems like it doesn't work with servers on the same host. Then tried nginx's new udp feature, but again no dice. Any ideas on how to achieve this?
I discovered that plain old iptables can create such a load balancer, using the HMARK target extension (see man 8 iptables-extensions).
Essentially the HMARK target can mark a packet based on a hash of specific IP tuple parameters, source IP and source port in my case, as these will be unique per client, even behind a NAT. Then I can route the packets to the appropriate localhost server based on the mark:
iptables -A PREROUTING -t mangle -p udp --dport 1194 -j HMARK \
--hmark-tuple src,sport --hmark-mod 2 \
--hmark-rnd 0xcafeface --hmark-offset 0x8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8000 \
-j DNAT --to-destination 127.0.0.1:8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8001 \
-j DNAT --to-destination 127.0.0.1:8001
Remember to enable routing packets to localhost:
sysctl -w net.ipv4.conf.eth0.route_localnet=1
Related
I want to route incoming tcp traffic on port 5555 on a Raspberry with Raspbian to another machine and port within the same local network, and make it persistent to reboots.
Context
The objective is that if I access the service on 5555 on localhost, it will load a different port on the remote machine. The ultimate goal is to forward port 53 (DNS) into another machine (non-53 port), but in the meantime, I am testing with http: https://localhost:5555, it should load https://192.168.250.250:9999 where 192.168.250.250 is a remote machine within my local network (accessible to all local network, ping 192.168.250.250 works).
What I've tried
There's a lot of resources on networking like this. Most rely on IP Forwarding on the router, which won't work in my case as I am trying to redirect ports within hosts in my localhost accessing the machines directly. The others, for port tunnelling, all use the methods below:
iptables
sudo iptables -t nat -A PREROUTING -p tcp --sport 5555 -j DNAT --to-destination 192.168.250.250 --dport 9999
This didn't work. I tried a few variations, including:
sudo iptables -t nat -A PREROUTING -p tcp --sport 5555 -j DNAT --to-destination 192.168.250.250:9999
This didn't work, despite the rule getting registered:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp spt:5555 dpt:9999 to:192.168.250.250
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
I have also installed iptables-persistent to make it persistent, but it just doesn't redirect in the first place.
I have also tried a variant of the command since I think I may have misunderstood the "source" port as being the destination:
sudo iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.250.250:9999 --dport 5555
After any of these changes, I always run:
sudo dpkg-reconfigure iptables-persistent
sudo netfilter-persistent save
sudo netfilter-persistent restart
To make sure the rules are permanently applied. I have also tried this tutorial to load the configuration on reboot. Nonetheless, again, this just doesn't forward, the permanent side of it is unclear and secondary at this stage.
socat
socat tcp-listen:5555,reuseaddr,fork tcp:192.168.250.250:9999
This works fine. However, it's not persistent. As soon as I cntrl+c the terminal, it stops redirecting.
nc
sudo nc -l -p 5555 -c 'nc 192.168.250.250 9999'
and
sudo nc -l -p 5555 192.168.250.250 9999
Neither work. The first one throws errors (-c not existing). The latter doesn't do anything.
The up tables solution should work. However, you must check your ipv4 forwarding and enable it (most linux distros will have this as not enabled/allowed) and this is likely to be your problem.
Check this
$ cat /proc/sys/net/ipv4/ip_forward
0
0 means ip_forwarding is not allowed and the kernel will not perform it.
Either do
$ echo 1> /proc/sys/net/ipv4/ip_forward
or use sysctl
$ sysctl -w net.ipv4.ip_forward = 1
I have a server running Linux : server A
I want the traffic on server A to be redirected to remote server b
Actually do the same as the forward port
I used the following command for the forward port.
sysctl net.ipv4.ip_forward = 1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 150 -j DNAT - to-destination des_ip:dest_port
iptables -t nat -A POSTROUTING -j MASQUERADE
The forward port did well and i could connect to server B through server B.
Now I want to know how much traffic is used on port 150 on server A?
If Server A is not a router, I can easily set a limit with the following commands and calculate the traffic consumed on Server A.
sudo iptables -A INPUT -p tcp --dport 150 -j DROP
sudo iptables -A INPUT -p tcp --dport 150 -m quota --quota 100000000 -j ACCEPT
But because server A is a router, these commands do not work
Is there any other command line that I can use to calculate the consumed traffic of port 150 on server A(server A is a router)?
I want to collect the usage data of each port using Python and store it in the database.
In this question, I wanted to redirect port 150, which is the source port, to the destination port.
After research about PREROUTING and INPUT chain in iptables, this is what I realized:
INPUT chain is after PREROUTING chain. According to this schematic.
Ports are translated to the destination port, in PREROUTING chain by NAT, therefore In INPUT chain there is no traffic with the source port and all traffic translated to destination port.
I can see network usage on destination port in INPUT chain, but I can not see the network usage on source port in INPUT chain.
Because all packet headers translated to destination port.
So it's true that quota for source port does not start count in any of the chains.
Even if I create the following rules in FORWARD chain:
sudo iptables -A FORWARD -p tcp --dport 150 -j DROP
sudo iptables -A FORWARD -p tcp --dport 150 -m quota --quota 100000000 -j ACCEPT
Again, we will not see any change in quota
Because the FORWARD chain is after the PREROUTING chain.
So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT
TL;DR version at the bottom.
My ISP gives me a private IP (10 48 64 1) and I'm unable to do any port forwarding.
My setup:
Debian Wheezy Linux headless Server
Asuswrt-merlin router(latest version)
AirVPN via Openvpn
With some reading, some VPN allow port forwarding to be done. So I went ahead with AirVPN and it worked great (for torrent). I tried to port forward Plex Media Server unfortunately it doesn't work.
Port Forward in AirVPN (24253 is for torrent and 61477 is for Plex with local port of 32400)
Even Plex says that it works!
I was told to do some forwarding on IPtables on my router, so I went ahead with these codes (got it from AirVPN forum)
#!/bin/sh
iptables -I FORWARD -i tun11 -p udp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun11 -p udp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
With this, somehow my router shows blank on the PREROUTING (but port is opened based on what I see from torrent and canyouseeme org)
With this everything should be set up, no problem and it be visible from outside, but unfortunately it doesn't. I tried from work to view my plex but it keeps saying 'connecting'.
All I can think now is the problem lies in the linux part (firewall maybe?)
I'm stuck for a few days and googling doesn't seem to help anymore.
Thanks for reading! I hope it can be solved.
TL;DR version
I'm connected to VPN but I have forwarded properly (canyouseeme org says it's opened) but Plex says cannot be viewed from outside network (keep connecting).
Nevermind! I made the mistake by not changing the port back to 61477 which was for Plex. I used torrent's port and hence why it wasn't working.
So I have a home server and i'd like to keep my IP masked to prevent DoS attacks and other security issues.
I'm using a VPS running Ubuntu to transfer traffic like this: Client -> VPS -> Home Server
But there's a problem. Everything works fine except everyone that connects to the home server has the same IP address as the VPS. I'd like each client to retain their own IP so they can be uniquely identified. How would I go about doing this? Currently using the following commands:
$ iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination myIP:80
$ iptables -t nat -A POSTROUTING -j MASQUERADE
Theres probably a million other questions on this, but I don't know what to search to find them.