Saturday, 5 October 2019

routing - Port forwarding with IPTABLES and VBox

I have a small problem with getting a proper configuration of iptables under Ubuntu. But before, let me describe the network configuration:


I am using xDSL line terminated with modem+router+DHCP serving 192.168.1.0/24 subnet. My laptop and PC are connected to this network and get addresses 192.168.1.6 and 192.168.1.3 respectively. On PC, I have Ubuntu running with VBox and 2 virtual machines (both Ubuntu as well). The vboxnet0 interface on PC is assigned IP 10.10.10.1 and individual virtual machines get 10.10.10.10 and 10.10.10.11. VM1 runs Apache webserver for test purposes.


Now, from my PC (192.168.1.3), I can access VM1 Apache hosted website at 10.10.10.10 by typing the address in the browser. No problems there.


However, I would like to be able to access the same website from my laptop (192.168.1.6), by typing the same 10.10.10.10 in the address bar in the browser. This does not work, though. I cannot get through the network for some reason. It seems that the ip address is just unknown on the 192.168.1.x network. If there is a way to configure that in a simple manner via iptables, it would be a great start.


Now, if that step is possible, I would further like to be able to configure a more complex setup. Using 192.168.1.3 address and proper port address, I would like to be able to forward specific service requests to proper VM instance. For example, 192.168.1.3:80 should go to VM1 and fetch the Apache hosted website. 192.168.1.3:4000 (for example), should go to VM2 and get the SFTP service hosted there. In short, I would like to perform destination port specific routing on the PC to allow for bidirectional communication between computers connected to 192.168.1.x networks and VMs running in 10.10.10.x network. Is there a simple solution for this using iptables?


here is an example that I have cooked up by now, but have not been able to make the forwarding work correctly. I am sure there are tons of errors here - it is my first day spent on iptables.


clear
# cleaning Firewall Rules , change ACCEPT to DROP if you want to shield
# the server, then you open ports as you need
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Accepts all established inbound connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# opening INPUT ports (22,80,8080)
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT && echo "rule input 22 ok"
iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT && echo "rule input 80 ok"
iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT && echo "rule input 443 ok"
iptables -A INPUT --protocol tcp --dport 8080 -j ACCEPT && echo "rule input 8080 ok"

#allow Loopback and networks
iptables -A INPUT -i lo -j ACCEPT  && echo "rule 7 ok"
#Accept any input from 10.10.10.0 network in vboxnet0 interface
iptables -A INPUT -s 10.10.10.0/24  -i vboxnet0 -j ACCEPT  && echo "rule 8 ok"

#enable Port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Opening PREROUTING - Filtering : this make the port forwarding trick.
# Forward as many ports you want to certain machines of the network to provide services such web server, ftp server, etc...
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 192.168.1.0/24 --dport 8080 -j DNAT --to 10.10.10.10:80  && echo "rule 9 ok"
#iptables -t nat -A PREROUTING -p tcp -i eth1 -d xxx.xxx.xxx.xxx --dport 53 -j DNAT --to 10.10.10.14:53  && echo "rule 10 ok"
#iptables -t nat -A PREROUTING -p udp -i eth1 -d xxx.xxx.xxx.xxx --dport 53 -j DNAT --to 10.10.10.14:53  && echo "rule 11 ok"
#iptables -t nat -A PREROUTING -p udp -i eth1 -d xxx.xxx.xxx.xxx --dport 21 -j DNAT --to 10.10.10.16:21  && echo "rule 12 ok"

#Opening FORWARD ports for network services on vlan
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 80 -j ACCEPT && echo "rule 13 ok"
#iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 21 -j ACCEPT  && echo "rule 14 ok"
#iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 68 -j ACCEPT  && echo "rule 15 ok"
#iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 22 -j ACCEPT  && echo "rule 16 ok"
#iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 53 -j ACCEPT && echo "Rule 17 ok"
#iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p udp --dport 53 -j ACCEPT && echo "Rule 18 ok"

# Opening POSTROUTING PROCESSES
# Netmasking is absolutelly necesary to protect vlan from attacks, only it hides their ip....
iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth1 -j MASQUERADE  && echo "rule 19 ok"

# Reject all other inbound - default deny unless explicitly allowed policy
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

# test and display the rules if runs properly
iptables -L

Thank you for any help


Marek

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...