linux – iptables SNAT and DNAT in the same incoming packet

Is SNAT and DNAT possible in the same packet based on dst ip and port? For example:

10.0.0.4-> 10.0.0.5:5000 changed to 192.168.0.1-> 19.168.0.2:5000

iptables -t mangle -A PREROUTING  -p tcp -d 10.0.0.5 --dport 500 -j MARK --set-mark 2
    iptables -t nat -A PREROUTING  -m mark  --mark 0x2 -j DNAT --to 192.168.0.2
    iptables -t nat -A POSTROUTING -m mark  --mark 0x2 -j SNAT --to 192.168.0.1 

Previous snat and dnat rules same package? if not, what is the way to achieve it. An example would be of great help. Thank you!

iptables: device packets behind NAT are not translated again

I have a server running virtual machines that need to connect to the internet for updates and whatnot.

So I enabled ipv4 forwarding and configured

iptables -t filter -A FORWARD -s 192.168.122.0/23 -j ACCEPT
iptables -t filter -A FORWARD -d 192.168.122.0/23 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.122.0/23 ! -d 192.168.122.0/23 -o eno1 -j MASQUERADE

There are no blocking rules in the FORWARD chain despite the default DROP policy.

But now the internet connections (for example, ping google) are processed by NAT and get the external IP of the server with an entry in the conntrack table, this server responds, but does not return to the virtual machine running the system that connection initialized (as i discovered with tcpdump)

iptables tool to measure latency instead of bandwidth

I am trying to measure the latency of having many iptables rules.
I tried to use iperf but I think bandwidth is not what I want.

Any help with this?

How to count forward traffic from iptables port

I use these commands for the forward port.

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 1235 -j DNAT --to-destination 1.1.1.1:80
iptables -t nat -A PREROUTING -p udp -m udp --dport 1235 -j DNAT --to-destination 1.1.1.1:80
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p tcp -m tcp --dport 1235 -j SNAT --to-source 10.15.0.203
iptables -t nat -A POSTROUTING -d 1.1.1.1 -p udp -m udp --dport 1235 -j SNAT --to-source 10.15.0.203

But when I see port traffic through iptables -t nat-L -v -n

I find pre and post routing traffic statistics incorrect

Then I try to use the following command for statistics

iptables -A FORWARD -s 1.1.1.1
iptables -A FORWARD -d 1.1.1.1

Although it shows the correct traffic, it cannot be counted according to --dport 1235
How to perform traffic statistics by port?
Can anyone give me any advice?

iptables: CentOS7 is pulling packets by mistake

Using TCP dump I can see the packets that come to my interface

$ tcpdump -nn -i em4
05:41:50.988511 IP 24.x.y.z.4011 > 50.x.y.z.443: Flags [S], seq 141106183, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

Using iptables -t nat I can see the packets hitting my rules to forward them to a host in the fleet:

$ iptables -t nat -vnL PREROUTING
 pkts bytes target     prot opt in     out     source               destination
   34  1768 DNAT       tcp  --  em4    *       0.0.0.0/0            50.x.y.z        tcp dpt:443 to:192.168.122.100

However, the packet never reaches the FORWARD rule:

$ iptables -t filter -vnL FORWARD
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  em4    *       0.0.0.0/0            192.168.122.100      tcp dpt:443

There are no other rules that match this package. None of my registration rules are reached before the package is lost.

IPV4 forwarding is enabled:

$sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

rp_filter is diabled

cat /proc/sys/net/ipv4/conf/em4/rp_filter
0

What could be causing the loss of these packages?

How to change the rule in iptables on my router?

How can I change the rule in iptables on my router from

Chain ipfilter (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            destination IP range 10.0.0.1-10.255.255.254 
DROP       all  --  anywhere             anywhere

to

Chain ipfilter (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            destination IP range 10.0.0.1-10.255.255.254
ACCEPT     all  --  anywhere             anywhere            

iptables forwards traffic coming from the openvpn tunnel to lan

The network topology is shown below:

------------------------ 123.45.67.89 (WAN)      ----------------------
|    pfSense           |-------------------------|     Public client  |
------------------------                         ----------------------
         | 10.1.1.1 (tun)
         |
         |
         | 10.1.1.2 (tun)
----------------------- 192.168.0.2 (LAN)   192.168.0.3 (LAN)----------------
|       RPi           | -------------------------------------|  VNC Server  | 
-----------------------                                      ----------------

Scenrio:

  1. The public client accesses pfSense on WAN ip and port 5900
  2. PfSense forwards traffic to OpenVPN ip 10.1.1.2:5900 (RPi)
  3. RPi performs SNAT and DNAT and forwards to 192.168.0.3:5900 (VNC server)
  4. The VNC server responds to the source IP, that is, 192.168.0.2
  5. PROBLEM: RPi does not forward the response to pfSense, unless you configure it for all traffic to pass through tun (using routes). However, I would like only VNC server responses, related to VNC traffic, to pass through the tun interface.

Below is the configuration of iptables in RPi

pi@raspberrypi:~ $ sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere             tcp dpts:9500:9505 to:192.168.0.3:5900-5905

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       tcp  --  anywhere             anywhere             tcp dpts:5900:5905 to:192.168.0.2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I thought about putting ip 10.1.1.2 in SNAT, but since the VNC server doesn't know how to route this subnet, I ended up with asymmetric routing.

below is the it does not work routing table:

pi@raspberrypi:~ $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         speedport-entry 0.0.0.0         UG    202    0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

below is the working routing table (all traffic goes through tun):

pi@raspberrypi:~ $ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.1.1.1        128.0.0.0       UG    0      0        0 tun0
default         speedport-entry 0.0.0.0         UG    202    0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 tun0
static.89.67.45 speedport-entry 255.255.255.255 UGH   0      0        0 eth0
128.0.0.0       10.1.1.1        128.0.0.0       UG    0      0        0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

Question:
How do I forward the traffic that reaches 192.168.0.2 from the VNC server to tun?

Thank you

vpn – Update iptables based on route and ip pushed to client ccd

I have my openvpn server running and I send certain routes to my clients through the ccd directive.

I tried writing a bash script to grep the ip of the ccd file but I am having some problems.

client file in / etc / openvpn / ccd:

ifconfig-push 10.8.0.45 255.255.255.0
push 'route 10.10.0.45'

I need grep 10.8.0.45 & 10.10.0.45

and push those routes in the iptables.
e.g

iptables -A FORWARD -s 10.8.0.45 -d 10.10.0.45 -j ACCEPT

client-connect /etc/openvpn/on_connect.sh

I need help writing grep or awk, I'm new to bash scripting

#!/usr/bin/env bash
#
#  Add iptables rules based on CCD client config.
#

CCD_DIR="/etc/openvpn/ccd"
# iptables rule comment - the disconnect script will
# remove all strings matching this pattern
RULE_COMMENT="OVPN_"$common_name
static_ip=grep..
ip_destination=grep..



if [ -f $CCD_DIR/$common_name ]; then
  sudo iptables -A FORWARD -s $static_ip -d ip_destination -j ACCEPT
fi

exit 0

Iptables that restricts access by time

How to add time to this rule: iptables -I FORWARD -s 192.168.0.56 -j ACCEPT?

I tried this

iptables -I FORWARD -s 192.168.0.56 -m time --timestart 13:00 --timestop 14:00 -j ACCEPT

but it does not work

firewall: does this iptables entry indicate that someone is trying to enter?

Two days ago I built a Debian 10 server in the United States to use it as a file server for my web application. When I created the server, I installed the fail2ban packaged and configured a minimum basic firewall using the following rules:

*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic which was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

COMMIT

Today, when I checked my firewall, I found the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  127.0.0.0/8          anywhere             reject-with icmp-port-unreachable
ACCEPT     icmp --  anywhere             anywhere             state NEW icmp echo-request
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables_INPUT_denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 5 LOG level debug prefix "iptables_FORWARD_denied: "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-sshd (1 references)
target     prot opt source               destination
REJECT     all  --  49.88.112.114        anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

There are only two user accounts on the server, the root account and a personal account for me. I'm not a firewall expert but the Chain f2b-sshd the entrance seems suspicious to me:

When I run whois at that IP address, I see that it originated somewhere in China.

I have other production servers that have been running for more than a year that are based on Debian 9 and I have never seen entries like this.

  1. Does this entry indicate that someone at that IP address has tried to enter my server?
  2. If the answer is "yes", is Debian 10 recording all intrusion attempts with entries like this?
  3. Are there additional steps I must take to secure my server?