Skip to main content

2 posts tagged with "linux"

View All Tags

· 7 min read
Moazzem Hossen

iptables

iptables is a powerful firewall management tool for Linux-based systems. It allows you to control incoming and outgoing network traffic, making it a vital component for securing and managing your server or network. Here's a quick overview of what you need to know:

Key Concepts

  • Rules: iptables operates using a set of predefined rules. Each rule defines how packets should be handled, including whether to allow, deny, or modify them.

  • Tables: iptables has three main tables: filter, nat, and mangle. Each table is responsible for different types of packet manipulation.

  • Chains: Within each table, there are chains like INPUT, OUTPUT, and FORWARD, which specify when the rules should be applied.

Basic Operations

  • Allow Incoming Traffic: To allow incoming traffic on a specific port (e.g., port 80 for HTTP):

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

  • Block Incoming Traffic: To block incoming traffic on a specific port:

    iptables -A INPUT -p tcp --dport 22 -j DROP

  • Port Forwarding: Redirect incoming traffic on a specific port to an internal IP and port:

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [internal-ip]:[internal-port]

Save and Restore Rules

  • Save Rules: To save your iptables rules so they persist across reboots:

    sudo iptables-save > /etc/iptables/rules.v4

  • Restore Rules: To load saved rules:

    sudo iptables-restore < /etc/iptables/rules.v4

Additional Modules

  • iptables can be extended with additional modules like iptables-persistent for automatic rule loading at boot or iptables-persistent6 for IPv6.

  • You can also use graphical frontends like ufw (Uncomplicated Firewall) or firewalld for easier rule management.

NAT Routing

Understanding Network Address Translation (NAT) is crucial in the realm of networking. It allows the modification of network address information in packet headers while in transit. iptables provides a robust platform for configuring NAT on Linux systems. This guide delves into various NAT operations using iptables, guiding you from basic to advanced configurations.

Understanding NAT Types

  • SNAT (Source NAT): Alters the source address of outbound packets. Ideal for changing the sender's address, especially for traffic leaving your network.
  • DNAT (Destination NAT): Changes the destination address of inbound packets. Used for redirecting incoming traffic to a specific internal host/port.
  • MASQUERADE: A special SNAT type useful for dynamic IP addresses, like those from DHCP.

Setting Up for NAT

Ensure your system is ready for NAT configurations:

  1. Enable IP Forwarding: This allows your Linux system to forward packets between interfaces.

    sudo sysctl -w net.ipv4.ip_forward=1

  2. Activate the New Settings: Make the changes effective immediately.

    sudo sysctl -p

Implementing NAT Rules

Source NAT (SNAT)

Change the source IP of outgoing traffic:

  • Basic SNAT: Modify the source IP for traffic exiting a specific interface.

    sudo iptables -t nat -A POSTROUTING -s [source-ip] -o [out-interface] -j SNAT --to-source [new-source-ip]

Destination NAT (DNAT)

Redirect incoming traffic to a different internal host/port:

  • Port Forwarding: Redirect traffic hitting your public IP on a specific port to an internal IP and port.

    sudo iptables -t nat -A PREROUTING -p tcp --dport [public-port] -j DNAT --to-destination [internal-ip]:[internal-port]

MASQUERADE

Dynamic IP handling, ideal for home routers or DHCP clients:

  • Internet Connection Sharing: Allow internal network clients to access the Internet through your Linux gateway.

    sudo iptables -t nat -A POSTROUTING -o [out-interface] -j MASQUERADE

Whether it's sharing an internet connection or setting up a secure internal network, iptables NAT functionality is a powerful tool in network configuration.

The MASQUERADE target in iptables is a specialized form of Source NAT (SNAT) designed for situations where your outbound interface has a dynamically assigned IP address, such as those obtained via DHCP. This is commonly used in scenarios like home networks, where your router/gateway receives a dynamic IP from your ISP.

  • Why MASQUERADE? In traditional SNAT, the new source IP is fixed and explicitly specified in the rule. However, if your gateway's external IP address is dynamically assigned and can change (like in residential broadband connections), setting up a standard SNAT rule with a fixed IP is impractical. MASQUERADE automatically handles this by using the current IP of the outgoing interface as the source IP for NAT.

  • How it works: When MASQUERADE is applied, it dynamically alters the source IP of outbound packets to match the IP of the interface they're leaving from. If that interface's IP changes over time (as is the case with dynamic IPs), MASQUERADE adapts and uses the new IP automatically, without needing any rule updates.

  • Common Use Case - Internet Sharing: A typical use case for MASQUERADE is in a Linux-based home router or gateway, where the internal network needs to access the internet, but the external IP of the router is not static. By applying MASQUERADE to the outbound traffic, all internal clients can seamlessly access external networks through the gateway, regardless of changes in the gateway's external IP.

  • MASQUERADE Example: To enable MASQUERADE for outbound traffic on a dynamically assigned external interface (e.g., eth0):

    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This rule tells the system: "For all outbound packets on eth0, change their source IP to match eth0's current IP." It's an essential tool for managing NAT in dynamic IP environments and is widely used in both home and small business networks.

In iptables, the terms POSTROUTING and PREROUTING refer to specific chains within the NAT (Network Address Translation) table. These chains are crucial for manipulating packets as they enter and leave the network system, especially in routing and forwarding scenarios. Here's a brief explanation of these and other similar chains:

  • PREROUTING: This chain is used for altering incoming packets before they are routed. It's often used for redirecting incoming traffic to different destinations within your local network through DNAT (Destination Network Address Translation).

  • POSTROUTING: This chain is used for modifying packets after they have been routed. It's commonly used for masquerading (a form of source NAT), where the source IP addresses are changed to the firewall's IP address as they leave the network.

In addition to these, there are other chains in the NAT table and other tables of iptables. While PREROUTING and POSTROUTING are specific to the NAT table, there are equivalent chains in other tables for different purposes:

  • INPUT: Found in the filter table, it's used to control the behavior of incoming packets destined for the local system.

  • OUTPUT: Also in the filter table, this chain is for packets generated by the local system and going out.

  • FORWARD: Part of the filter table, it's used for packets that are routed through the local system, useful in scenarios where your system is acting as a router.

  • MANGLE: This is a table in itself and is used for specialized packet alteration. It has chains like PREROUTING, OUTPUT, etc., similar to the NAT table but for different packet manipulation purposes.

Understanding these chains and tables is essential for effective network management and security using iptables. Each serves a unique role in how packets are processed and routed through your system.

· 2 min read
Moazzem Hossen
#!/bin/bash

# Create network namespaces
ip netns add wg1
ip netns add wg2

# Create a veth pair
ip link add veth-wg1 type veth peer name veth-wg2

# Attach the veth interfaces to the namespaces
ip link set veth-wg1 netns wg1
ip link set veth-wg2 netns wg2

# Assign IP addresses to each veth interface in their respective namespaces
ip -n wg1 addr add 192.168.15.1/24 dev veth-wg1
ip -n wg2 addr add 192.168.15.2/24 dev veth-wg2

# Bring up the loopback interfaces
ip -n wg1 link set lo up
ip -n wg2 link set lo up

# Bring up the veth interfaces
ip -n wg1 link set veth-wg1 up
ip -n wg2 link set veth-wg2 up

# Add routes in the namespaces
ip -n wg1 route add 192.168.15.2 dev veth-wg1
ip -n wg2 route add 192.168.15.1 dev veth-wg2

# Test connectivity with ping
ip netns exec wg1 ping -c 4 192.168.15.2

linux bridge

#!/bin/bash
ip netns add wg1
ip netns add wg2

ip link add name v-net-0 type bridge
ip link set dev v-net-0 up

ip link add veth-wg1 type veth peer name veth-wg1-br
ip link set veth-wg1 netns wg1
ip link set veth-wg1-br master v-net-0

ip link add veth-wg2 type veth peer name veth-wg2-br
ip link set veth-wg2 netns wg2
ip link set veth-wg2-br master v-net-0

ip -n wg1 addr add 192.168.15.1/24 dev veth-wg1
ip -n wg1 link set veth-wg1 up
ip -n wg1 link set lo up

ip -n wg2 addr add 192.168.15.2/24 dev veth-wg2
ip -n wg2 link set veth-wg2 up
ip -n wg2 link set lo up

ip link set veth-wg1-br up
ip link set veth-wg2-br up

ip netns exec wg1 ping -c 4 192.168.15.2

connecting to and from outside

# sysctl net.ipv4.ip_forward
# sysctl -w net.ipv4.ip_forward=1
sed -i '/^#net.ipv4.ip_forward=1/s/^#//' /etc/sysctl.conf
sysctl -p

ip link add name br0 type bridge
ip addr add 192.168.15.5/24 dev br0
ip link set br0 up


iptables -t nat -A POSTROUTING -s 192.168.15.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1:80

ip netns exec wg1 ip route add default via 192.168.15.5

# ping from wg1 namespace via br0 (192.168.15.5) to outside
ip netns exec wg1 ping 192.168.121.57