Docker and NAT to LAN on the same machine using iptables

I have been using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices in my network for a while:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -j DNAT - to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp --dport 22 -j ACCEPT

In the past, it has worked very well. However, it broke when I installed Docker. This is almost certainly because Docker rewrote all the rules of my iptables. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING string (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot choose in the destination of origin
6 1384 DNAT tcp - eno1 anywhere anywhere tcp dpt: telnet a: 10.0.1.2: 22
133 8676 DOCKER all: anyone, anywhere, anywhere, ADDRTYPE, that matches dst-type LOCAL

ENTRY of the chain (policy ACCEPT 122 packets, 8474 bytes)
pkts bytes target prot choose in the destination of origin

DEPART chain (policy ACCEPTS 42 packets, 3008 bytes)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER all - any any any! 127.0.0.0/8 ADDRTYPE matches dst-type LOCAL

POSTROUTING chain (ACCEPT policy 21 packages, 2395 bytes)
pkts bytes target prot choose in the destination of origin
0 0 MASQUERADE all - any! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE all - any! Br-643d6580203c 172.18.0.0/16 anywhere
39 2900 MASQUERADE all - any eno1 anywhere
0 0 MASQUERADE tcp - anyone 172.18.0.2 172.18.0.2 tcp dpt: 8443

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 RETURN to all - docker0 anywhere and everywhere
0 0 BACK to all - br-643d6580203c anywhere and everywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere anywhere tcp dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT of the chain (ACCEPT policy 600 packets, 44910 bytes)
pkts bytes target prot choose in the destination of origin

FORWARD chain (DROP policy 135 packages, 27966 bytes)
pkts bytes target prot choose in the destination of origin
176 32752 DOCKER-USER all - anywhere and everywhere
176 32752 DOCKER-ISOLATION-STAGE-1 all - anywhere and everywhere
0 0 ACCEPT everything: any docker0 anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any docker0 anywhere
0 0 ACCEPT everything: docker0! Docker0 anywhere
0 0 ACCEPT everything - docker0 docker0 anywhere
0 0 ACCEPT everything: any br-643d6580203c anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere in any place
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere, anywhere
0 0 ACCEPT everything - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT all - any anywhere ctstate RELATED, ESTABLISHED
6 1384 ACCEPT tcp - anyone anywhere dione tcp dpt: ssh

Chain output (ACCEPT policy packets 505, 66607 bytes)
pkts bytes target prot choose in the destination of origin

DOCKER chain (2 references)
pkts bytes target prot choose in the destination of origin
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot choose in the destination of origin
0 0 DOCKER-ISOLATION-STAGE-2 all - docker0! Docker0 anywhere, anywhere
0 0 DOCKER-ISOLATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere and anywhere
176 32752 RETURN everything - anyone, anywhere, anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot choose in the destination of origin
0 0 DROP all - any docker0 anywhere in any place
0 0 DROP all - any br-643d6580203c anywhere
0 0 RETURN to all - anyone anywhere, anywhere

DOCKER-USER chain (1 references)
pkts bytes target prot choose in the destination of origin
176 32752 RETURN everything - anyone, anywhere, anywhere

For example, static routes work. I can still access my workstation in 10.0.1.2 through port 22, but that same machine can not exit. Looking at the traffic that leaves the server, it seems that a ping is not even doing it, much less back.

I tried to simply add my rules back to the top of the running Docker instance, but that did not work. The documentation for Docker suggests putting things in the DOCKER-USER chain, although that does not exist in the nat table. The docker documentation also suggests that I can disable Docker's table manipulation, although I do not know how to manually route the network to the containers.

Honestly, I do not know enough about Docker's rules. Has anyone done this work?

iptables – IP spoofing source for udp packages in Centos7

Before I was doing spoofing of source IP with IP tables. Now, after migrating to CentOS7, how can it be done with firewallD.

Here is the old command.

sudo -s iptables -t nat -A POSTROUTING -d X.X.X.X -p udp –dport 162 -j SNAT – to X.X.X.X

What will be the equivalent rule in Centos7? How can I do the same thing using firewallD?

linux: the set of Iptables rules changes when a native vpn application is running

Is it correct for a native Linux vpn application (of a famous brand among vpn providers) to change its set of iptables rules each time the vpn is activated?

Keep in mind that one of the rules that always changes after running vpn is the so-called "Delete everything else" rule that you can add after all your rules to configure a "whitelist" firewall.

As an additional explanation, whenever this vpn application is executed, the line ((DROP all – * * 0.0.0.0/0 0.0.0.0/0)) will be removed from the results of "iptables -L -v -n" command; and just after closing the vpn application, the aforementioned "Delete all" rule reappears.

iptables: how to configure dnsmasq to allow only a specific IP address to access the internet on the interface that is listening

Can anyone help me with this problem:
I am currently running the dnsmasq service in raspbian (raspberry pi) to share pi internet access with devices connected to its LAN port identified as eth0. The /etc/dnsmasq.conf file was configured as follows:

interface = eth0 # Use the eth0 interface
listen-address = 192.168.10.1 # Specify the address to listen to in
bind-interfaces # Link to the interface
server = 8.8.8.8 # Use Google DNS
Required domain # Do not forward short names
bogus-priv # Drop un-routed address spaces.
dhcp-range = 192.168.10.100,192.168.10.199,12h # IP range and lease time

Following the tutorial in this link: https://pimylifeup.com/raspberry-pi-wifi-bridge/

Currently, this works as expected, but I must restrict Internet access to a single device that will be identified with its static IP address 192.168.10.10

Can anyone help me on how to do this?

Thanks in advance.

Two bridged interfaces with multiple IPs, NAT required, iptables

I try to configure a strange configuration in a Debian-based box.

This is a type of industrial PC with two network interfaces eth0 and eth1. I'm using this as a & # 39; scanner device & # 39; to use in customer networks. Some of them use DHCP, others do not. Some can give me a fixed IP, others can not even know the DHCP address that my device would receive.

So I created the following configuration in / etc / network / interfaces:

auto what
iface what inet loopback

auto eth0
inace iface eth0 manual
auto eth1
manual inace iface eth1

# Bridge Interface
auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1
bridge_hw aa: bb: cc: dd: ee: ff

# Preset interface IP for client requirements, if DHCP is not working
auto br0: 1
iface br0: 1 inet static
address 172.16.21.150
network mask 255.255.255.0
network 172.16.21.0
Issuance 172.16.21.255
# Gateway
post-up path add by default gw 172.16.21.254
pre-down route of default gw 172.16.21.254


# Set the default IP address of the backup interface
auto br0: 100
iface br0: 100 inet static
address 169.254.111.111
network mask 255.255.255.0
network 169.254.111.0
transmission 169.254.111.255

As you can see, there are three interfaces. br0 is used for DHCP, br0: 1 for static IP given by the client. In general, br0 and br0: 1 will not be used at the same time.
And br0: 100 is also static, but with a local link address. I use it to access the box without attached computer monitor, simply through IP and ssh.
Everything works perfectly, except when I connect my laptop through a direct connection to br0: 100 (remember, your virtual interface type is not a dedicated physical interface!).

By working through ssh in the box, I can access the customer's network and also connect to the Internet (in addition to the possible FW rules at the end of the client …)

But I can not access the Internet from my laptop, but only to the customer's network.
So my idea was that the configuration of local clients only allows access to the Internet from its network range. But my laptop has another range. The glorious idea was to configure NAT and I tried these simple NAT rules:

# IP Forwarding im Kernel aktivieren
echo 1> / proc / sys / net / ipv4 / ip_forward

# Masqerading auf br0 und br0.1 aktivieren
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0: 1 -j MASQUERADE

# Forwarding Regeln einrichten
# Forwarding etablierter Verbindungen von extern (br0 & br0.1) nach intern (br0.100)
iptables -A FORWARD -i br0 -o br0: 100 -m status - RELATED, ESTABLISHED state -j ACCEPT
iptables -A FORWARD -i br0: 1 -o br0: 100 -m status - RELATED, ESTABLISHED state -j I ACCEPT

# Forwarding VererBindungen von intern (br0.100) nach extern (br0 & br0.1)
iptables -A FORWARD -i br0: 100 -o br0 -j ACCEPT
iptables -A FORWARD -i br0: 100 -or br0: 1 -j ACCEPT

This breaks all my configuration. The box itself can no longer connect to the network.

I have no idea what is wrong and how I can fix it. Any idea is appreciated.

regards
Olaf

linux: How can iptables have (ACCEPT, everyone, anywhere, anywhere) and (DROP, everyone, anywhere, anywhere) in your INPUT chain?

How can iptables Both have (ACCEPT, everyone, anywhere, anywhere) Y (DROP, everything, anywhere, anywhere) in your INPUT chain?

How is it significant for iptables both have rules for TO ACCEPT Y RELEASE all the traffic in your ENTRY string with a default policy of RELEASE?

In this case, will the traffic really be accepted or eliminated? I see that there are special rules for ssh Y http, Then would they naturally take precedence, because they are more specific?

# iptables -L
CHAIN ‚Äč‚ÄčENTRY (DROP policy)
target destination of protection source
ACCEPT everything - anywhere, anywhere
ACCEPT everything - anywhere ctstate RELATED, ESTABLISHED
DROP all - anywhere ctstate INVALID
ACCEPT tcp - anywhere tcp dpt: ssh ctstate NEW, ESTABLISHED
ACCEPT tcp - anywhere, anywhere tcp dpt: http ctstate NEW, ESTABLISHED
ACCEPT icmp - anywhere, anywhere

Chain FORWARD (DROP policy)
target destination of protection source

DEPART Chain (DROP policy)
target destination of protection source
ACCEPT everything - anywhere, anywhere
ACCEPT everyone - anywhere, anywhere STATE ESTABLISHED
ACCEPT tcp - anywhere tcp spt: ssh ctstATE ESTABLISHED
ACCEPT tcp - anywhere tcp spt: http ctstate ESTABLISHED

nat – Ultraslow load speed at nating with iptables

I am setting up a network and I need to allow access only for certain MAC addresses.

Let eth0 and eth1 be the physical interfaces. eth1 is connected to the external network and eth0 and its vlans are in the internal network.

For that purpose, I'm using Linux iptables and I have the following code for the default configuration.

# Allowing ip and loopback forwarding

echo 1> / proc / sys / net / ipv4 / ip_forward
iptables -A ENTRY -i lo -j ACCEPT

# Configuring nat and default string settings

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -N FILTER
iptables -P ADELANTE DROP

# Configuration of the default configuration

iptables -A FORWARD -p tcp -m conntrack --ctstate NEW -i eth0 + -o eth1 -j FILTER
iptables - FORWARD -p tcp -m conntrack 
- State related, established, DNAT, SNAT, NOT VALID -i eth0 + -o eth1 -j ACCEPT
iptables - FORWARD! -p tcp -i eth0 + -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 + -m status 
- RELATED STATUS, ESTABLISHED -j I ACCEPT

In doing so, I am filtering all incoming TCP traffic with the NEW state and allowing all traffic from any other protocol or TCP with other states. I'm handling those filtered TCP requests with the following rule

# Allowing tcp traffic with ctstate NEW for certain mac

iptables -A FILTER -p tcp -m conntrack --ctstate NEW -i eth0 + -o eth1 
-m mac --mac-source  -j ACCEPT

In a test environment, with this configuration, allowed MACs can access the Internet with a normal download speed, but the upload speed is almost zero. Am I forgetting something?

iptables – VPS – How to allow different vpn subnets to communicate?

I have a VPS A (kvm with Ubuntu 18.04) with VPN server

VPN Server 10.50.0.0/24
All VPN clients can ping others

And another VPS B (kvm with Ubuntu 18.04) with vpn server and vpn client from the first

VPN Server 10.60.0.0/24
VPN Client 10.50.0.50

My PC is a VPN client of VPS B:

VPN client 10.60.0.10

What should I do in VPS B to allow my PC 10.60.0.50 to access the subnet of the first VPS 10.50.0.0/24

IPtables block torrent through hash

I only have this information from the abuser.

Title: us
Time Mark: 2019-06-08T05: 46: 52Z
IP Address: xx.xx.xx.xx
Port: 15517
Type: BitTorrent
Stream Hash: 70b2976df8afbc7eba95cdb979a8498cdac250bc
File name: -
File size: 996 MB

How can I block this file by hash using iptables?

iptables: How does the client get openvpn data on the cable if the physical interface is blocked by a firewall?

When reading about Tun / Tap in the kernel documentation https://www.kernel.org/doc/Documentation/networking/tuntap.txt, it is clear that this interface is not supported by hardware. If I configure the iptables firewall to deny inbound / outbound traffic on all interfaces, except tun0, how does the OpenVPN client get the data on the cable?

When the kernel decides its time to put data in the cable, for the tun0 interface, it sends the data to a user space program (openvpn client). I guess this program should prepare the data for the tunnel, then open a socket and send the data using a non-virtual interface like eth0. But this is supposed to be blocked by the firewall. However, it works.

Does the OpenVPN client somehow bypass the firewall mechanism (iptables)?