Iptables to modify source ip. Nothing in POSTROUTING chain log - asterisk

Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!

The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!

That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.

Related

IPv6 forwarding on wireguard

I've been trying to set up a Wireguard VPN on my Dedibox at Scaleway for the past few days now, with limited success. First of all, IPv4 is working, so at least I am not hopelessly lost. Currently my peers are using private IPv4 addresses to talk to the server, which then nats them onto it's own public IP using iptables. Works great. Now I want to set up IPv6 too, but not using nat. I want to forward public IPv6 addresses assigned on my peers using ip6tables and use those to go over the internet, rather than using the Masquerade option like with IPv4.
I have so far had limited success in that field. I set up a little test environment in GNS3 and without Wireguard it's definitely possible to route IPv6 addresses using ip6tables (just to find out what rules to make, I am kind of new to iptables). Now I tried to do the same thing on my wireguard equipped server, but to no avail. My PostUp and PostDown are currently as follows (censoring out my IPv6 addresses):
PostUp:
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -I INPUT 1 -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -I INPUT 2 -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -I FORWARD 1 -o wg0 -j ACCEPT
ip6tables -t filter -I FORWARD 2 -i wg0 -j ACCEPT
PostDown:
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -D INPUT -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -D INPUT -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -D FORWARD -o wg0 -j ACCEPT
ip6tables -t filter -D FORWARD -i wg0 -j ACCEPT
The public IPv6 range assigned to my main interface (enp0s20) is 2001:db8:abcd:100::/56, while I want to use 2001:db8:abcd:101::/64 for my Wireguard peers.
Another curious thing is that for some reason it appears as though I can ping between peers on this network, but that might be a fluke here, not exactly sure. I currently have both my workstation and smartphone on this network, and pinging between my workstation and smartphone works fine using the following command on Windows:
ping -6 -S 2001:db8:abcd:101::2 2001:db8:abcd:101::3
Where my workstation ends in 2 and my smartphone ends in 3.
I am at a total loss, anyone who could help me with this?

How can I use iptables to make a TCP proxy between me and a outside service?

So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT

Load-balancing UDP on localhost by source IP

I have a server (openvpn) which is not multithreaded and hence does not take advantage of the multiple cores in the box. I'm trying to solve the problem by running multiple servers, each on a different port, e.g. 127.0.0.1:8000, 127.0.0.1:8001, ... then load balancing the exterior 1194 port based on the source IP -- openvpn uses UDP but all packets for a client must arrive at the same server.
Issue I'm running into is how to load balance. I tried IPVS, but it seems like it doesn't work with servers on the same host. Then tried nginx's new udp feature, but again no dice. Any ideas on how to achieve this?
I discovered that plain old iptables can create such a load balancer, using the HMARK target extension (see man 8 iptables-extensions).
Essentially the HMARK target can mark a packet based on a hash of specific IP tuple parameters, source IP and source port in my case, as these will be unique per client, even behind a NAT. Then I can route the packets to the appropriate localhost server based on the mark:
iptables -A PREROUTING -t mangle -p udp --dport 1194 -j HMARK \
--hmark-tuple src,sport --hmark-mod 2 \
--hmark-rnd 0xcafeface --hmark-offset 0x8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8000 \
-j DNAT --to-destination 127.0.0.1:8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8001 \
-j DNAT --to-destination 127.0.0.1:8001
Remember to enable routing packets to localhost:
sysctl -w net.ipv4.conf.eth0.route_localnet=1

Plex VPN port forwarded properly but not accessible

TL;DR version at the bottom.
My ISP gives me a private IP (10 48 64 1) and I'm unable to do any port forwarding.
My setup:
Debian Wheezy Linux headless Server
Asuswrt-merlin router(latest version)
AirVPN via Openvpn
With some reading, some VPN allow port forwarding to be done. So I went ahead with AirVPN and it worked great (for torrent). I tried to port forward Plex Media Server unfortunately it doesn't work.
Port Forward in AirVPN (24253 is for torrent and 61477 is for Plex with local port of 32400)
Even Plex says that it works!
I was told to do some forwarding on IPtables on my router, so I went ahead with these codes (got it from AirVPN forum)
#!/bin/sh
iptables -I FORWARD -i tun11 -p udp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun11 -p udp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
With this, somehow my router shows blank on the PREROUTING (but port is opened based on what I see from torrent and canyouseeme org)
With this everything should be set up, no problem and it be visible from outside, but unfortunately it doesn't. I tried from work to view my plex but it keeps saying 'connecting'.
All I can think now is the problem lies in the linux part (firewall maybe?)
I'm stuck for a few days and googling doesn't seem to help anymore.
Thanks for reading! I hope it can be solved.
TL;DR version
I'm connected to VPN but I have forwarded properly (canyouseeme org says it's opened) but Plex says cannot be viewed from outside network (keep connecting).
Nevermind! I made the mistake by not changing the port back to 61477 which was for Plex. I used torrent's port and hence why it wasn't working.

How to simulate different NAT behaviours

I am working on Holepunching using UDP and UDT. For the final testing I need to test the application on different NAT types (Symmetric,full cone,restricted cone, port restricted NATs).
Is there any method I can simulate these? What I expect here is some kind of virtual-Box setup. Can I use PC as a router so that I can configure according to my needs?
In general how do we test applications for different network conditions?
Just in case someone else is looking to do this, this website explains how to set up the different NAT environments using IPTables.
Update
It has been a few years since I did this, given that the link was placed behind a login, and the rewind was also placed behind a login, I went through my notes from back than and found the following. Please note these are untested.
Full Cone NAT;
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination "private IP"
Restricted Cone NAT;
iptables -t nat -A POSTROUTING -o eth1 -p udp -j SNAT --to-source "public IP"
iptables -t nat -A PREROUTING -i eth1 -p udp -j DNAT --to-destination "private IP"
iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m state --state NEW -j DROP
Port Restricted Cone NAT;
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source "public IP"
Symmetric NAT;
echo "1" >/proc/sys/net/ipv4/ip_forward
iptables --flush
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
I think you already answered your own question, use VirtualBox (or VMware, Xen, etc..).
I've done this very thing successfully by setting up mini-lans of VM's. If you're looking for software to act as your router inside a VM, I'd start off at http://www.pfsense.org/ and see if that meets your needs. It's a FreeBSD distribution tailored for being an easy to install router/firewall with a nice web management UI and all of that.
If pfsense doesn't fit your needs, there are plenty of other linux/bsd distributions out there that are tailored for this kind of stuff and that you can install in a VM: http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions for a good list :) (I've heard good things about OpenWRT and ClearOS as well.)

Resources