I'm using virtualbox (under windows) with host-only and I'm trying to make the host (that's running windows) forward the packets that are arriving from the virtual machine's interface to the interface that has an internet connection so the virtual machine can also have internet access.
In Ubuntu I did this simply like this:
iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
How could I do this under windows?
Related
I have a Single Board Computer (SBC) running on HiSilicon linux with Busybox. I am trying to convert this device into an Access Point. It has a wifi module and an ethernet port ( which will be connected to internet router). I have referred many articles, and pretty much each of them suggests using iptables for forwarding and masquerading ip packets.
Ref: https://serverfault.com/questions/152363/bridging-wlan0-to-eth0
Unfortunately Busybox does not seem to have iptables, and only iproute2 is available. Is there any way to achieve the following using iproute2 or something else. I am not a network engineer, so I apologize in advance if my understanding of the problem is incorrect.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Looking at what you are trying to achieve, it is simply a "routing" concept and it is possible on busy-box. Just enable "ip forwarding" (that's all you need).
$ sudo echo 1 > /proc/sys/net/ipv4/ip_forward
Then consider making permanent changes to your configurations after a successful test.
I used Amazon Lightsail to deploy a wordpress site and it worked like a charm. Now I have the need to restrict the IP addresses that can access on port 80 to the ones associated to the Firewall from SiteLock, and I am looking for the best and cleanest solution.
It looks like in Lightsail simplified version of the world, I can only open a port for public access, or close it.
My only idea now is logging in via SSH and use iptables, but I wanted to understand if that's the only way I can do this, or there is something "smarter".
This is what I came out with, that actually works, but uses iptables which I am not sure is the best option, so the question is still open to get a better solution.
Since SiteLock website says these IP ranges are to be allowed in:
SiteLock Firewall IP Ranges
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
2a02:e980::/29
I created a script to allow them all, and then close all the rest with an explicit DROP rule
sudo iptables -A INPUT -p tcp -s 199.83.128.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 198.143.32.0/19 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 149.126.72.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 103.28.248.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 45.64.64.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 185.11.124.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.230.64.0/18 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 107.154.0.0/16 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 2a02:e980::/29 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
now, IPs can be whitelisted from AWS console itself. Go to your Lightsail instance in console, then networking. there you can choose ports to open, and to whitelist IP, check Restrict to IP. then enter whielisted IP or range and save.
reference: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-editing-firewall-rules
I'm new to bash script and I need to make a script that runs the following commands:
service apache2 start
airmon-ng start wlan0
airbase-ng -e FREEINTERNET -c 1 -P wlan0mon
ifconfig at0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
service isc-dhcp-server start
My big doubt is how to make the script open the airbase-ng -e FREEINTERNET -c 1 -P wlan0mon command in a different terminal and keep executing both airbase and the remaining commands. I’m using Kali 64-bit with GNOME.
You can run something in the background by suffixing it with &. If you want to run something in a new GNOME Terminal window, you can do so with gnome-terminal -e. Putting those together, to run your airbase-ng command in a new GNOME Terminal window while letting the rest of your script continue to run:
# …
airmon-ng start wlan0
gnome-terminal -e 'airbase-ng -e FREEINTERNET -c 1 -P wlan0mon' &
ifconfig at0 192.168.1.129 netmask 255.255.255.128
# …
I have three boxes: a Linux client, a OpenWRT router, and a Squid server. I'm trying to get the client (which is connected to the router) web traffic to go through the proxy server without any client configuration.
Using this iptables rule on the router seems to make the client traffic go to the proxy just fine (I can see the request in the access.log):
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:3128
But the traffic doesn't seem to make it back to the client. I get this error on the client's web browser:
The requested URL could not be retrieved. Invalid URL
It almost looks like the hostname is missing by the time it get's back to the client. Am I missing an iptables rule? On the router or on the proxy server? Or do I need set a route?
My end goal is to have dansguardian running on the proxy server. The router is not powerful enough to run the filter and that is why I have a separate server for that.
Got it to work!
The only iptables rule I needed on the router was:
iptables -t nat -A PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to $PROXY_IP:8080
And the rules I needed on the squid/dansguardian server was:
iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner proxy -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080
After creating those rules, I was able to see the client's traffic in the /var/log/squid3/access.log and /var/log/dansguardian/access.log logs and all of the client's traffic was coming back through just fine (with the web content filtering working perfectly).
Basically started with Squid and iptables today (google is your friend). This stuff is going to be the death of me.
I have Squid3 setup on Ubuntu 9.04 server as Transparent Proxy. It works sweetly when i use the proxy-box as my default gateway etc. The iptable rules for this setup was part of the tutorial. :P
I can unfortunately not access https sites (such as Gmail or anything on port 443 basically). This is because Squid dont like what it cannot cache, which in this case is the https traffic.
I would like to add an iptable rule so that i can basically access https sites and use Skype. Basically allow these types of traffic to pass through without going through Squid proxy? (bypassing it so to speak)
Would anyone perhaps know how to do this or have a link to any sources that would assist me in figuring it out?
Thank you.
After actually considering chewing through my own wrists and dreaming of IPs all night long + brute force googling/trying ANYTHING i could get my digital fingers on i managed to put something together that actually works. I dont know the technical reasons why, so if you can provide set explanations please do so! :D
PS: everything in the explanation is done via command line
PS: this is not a final solution, but its a working one in answer to my own question.
Here it is:
Step 1: Had to enable IP Forwarding on the box:
vim /etc/sysctl.conf
//find and uncomment the following
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=1
Step 2: Add loop back rule (this is more for when all ports are covered, apparently many apps need it?
iptables -I INPUT -i lo -j ACCEPT
Step 3. Add rules for the bypassing of port 443: (eth1 is internet interface and x.x.x.x/eth0 is LAN interface)
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x
Step 4. Then finally the rules making Squid transparent:(x.x.x.x is IP of LAN interface)
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination x.x.x.x:3128
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source x.x.x.x
That is wrong. Means that every packet TCP/UDP/etc that you send from your intern LAN to Internet will use as SOURCE IP the Private LAN IP (probably 192.178.x.x), instead of the Public IP.
May be that helps you:
PREROUTING == DestinationNAT -> From Internet to Intern LAN
POSTROUTING == SourceNAT -> From Intern LAN to Internet
iptables -t nat -A PREROUTING -i intern -p tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80
To bypasss 443 would be enough with:
iptables -I FORWARD -p tcp --dport 443 -j ACCEPT
And if your system/squid/firewall is also the router from your network to internet, do not forget:
iptables -t nat -A POSTROUTING -o extern -j SNAT --to-source Public_external_IP
For those explanations...
step #1 sets up the machine as a router. This is required for any Linux machine that is going to accept or forward IP traffic destined for machines other than itself. Without this the lowest levels of the networking stack will reject the traffic and NAT will not even get a chance to do its thing.
step #2 is not relevant to the problem being asked about. It may or may not be needed for the router operations unrelated to the proxying.
step #3 lets the machine relay port 443 normally as a router. The POSTROUTING rule could be made better by using MASQUERADE instead of SNAT.
step #4 both lines do the same thing in different ways. The first line may lead you to trouble in future if you dont know what the differences are between DNAT and REDIRECT. For simplicity use REDIRECT only.
Reading http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect could have saved you a lot of trouble.
There is also a critical mangle table rule missing from your setup which is explained on that wiki page.