home       inleiding       sysadmin       services       links       bash       werk       nothing      

destination NAT

 
DNAT = destination network address translation.
Dit is het doorgeven van services vanop een computer in het interne netwerk, naar het buitennetwerk toe; m.a.w. een soort van reverse NAT. Vroeger werd dit ook wel reverse masquerading genoemd.
 

1. de bedoeling
    
   We zouden de twee webservers in onze LAN willen bereiken vanaf het buitennetwerk. Dat kan op het buiten-adres van de iptables-firewall (10.104.2xy.254) maar natuurlijk niet allebei op dezelfde poort. Bovendien wensen we zowel de web-service als de ssh-service te bereiken.
   De volgende mapping wordt voorgesteld in de opgave (http://linux800.be/services/iptables):
    
   ssh web1 -> poort 10122
   ssh web2 -> poort 10222
   web van web1 -> poort 8081
   web van web2 -> poort 8082
    
2. principe
    
   • we zetten de FORWARD policy op DROP:
     iptables -vP FORWARD DROP
   • we openen de inkomende FORWARD poort in de FORWARD chain:
     iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
   • we openen de uitgaande FORWARD poort in de FORWARD chain:
     iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT
   • we geven wat binnenkomt een nieuw adres + poortnr.:
     iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.2xy.101:22
   • we voegen een algemen RELATED, ESTABLISHED toe:
     iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
      
3. we proberen voor web101
    

   #### Destination NAT -
   iptables -vP FORWARD DROP
   ## destination forward ports (ssh)
   iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
   ## port 10122 >> web101:22
   iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.200.101:22
   iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT
   ### forward related established
   iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

   We plaatsen bovenstaande in ons iptables test-script, en proberen ssh naar web101:

   user@lap17:~$ ssh 10.104.200.254 -p 10122
   user@10.104.200.254's password: 
   Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-93-generic x86_64)
   106 packages can be updated.
   31 updates are security updates.
   Last login: Mon Nov 27 18:30:44 2017 from 10.104.255.219
   $

   ... en dat lijkt te werken.
    

4. de volledige DNAT declaratie
    
   Net onder de INPUT declaratie 

   ...
   #### Destination NAT -
   iptables -vP FORWARD DROP
   ## destination forward ports
   iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
   iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
   ## port 10122 >> web101:22
   iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.200.101:22
   iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT
   ## port 10222 >> web102:22
   iptables -vt nat -A PREROUTING -p TCP --dport 10222 -j DNAT --to 192.168.200.102:22
   iptables -vA FORWARD -p TCP --dport 10222 -j ACCEPT
   ## port 8081  >> web101:80
   iptables -vt nat -A PREROUTING -p TCP --dport 8081 -j DNAT --to 192.168.200.101:80
   iptables -vA FORWARD -p TCP --dport 8081 -j ACCEPT
   ## port 8082 >> web102:80
   iptables -vt nat -A PREROUTING -p TCP --dport 8082 -j DNAT --to 192.168.200.102:80
   iptables -vA FORWARD -p TCP --dport 8082 -j ACCEPT
   ### forward related established
   iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
   ...

   En boven de PRINT
    

5. testen
     
   $ lynx 10.104.200.254:8081
Looking up '10.104.200.254' first
DIT IS WEB101
 
$ lynx 10.104.200.254:8082
Looking up '10.104.200.254' first
DIT IS WEB102
    

   $ ssh 10.104.200.254 -p 10122
   user@10.104.200.254's password: 
   Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-93-generic x86_64)
   Last login: Mon Nov 27 20:25:47 2017 from 10.104.255.219
   $ hostname
   ub164-WEB101

    

   $ ssh 10.104.200.254 -p 10222
   user@10.104.200.254's password: 
   Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-93-generic x86_64)
   Last login: Mon Nov 27 20:25:47 2017 from 10.104.255.219
   $ hostname
   ub164-WEB102

    

6. volledige config en output
    

   #! /bin/bash
   #
   #  iptables-script 
   #  bvdb  ( 02/11/2017 )
   ######################################################
   #
   # v = verbose, X = flush tables, F = delete non standard chains
    
   # general
   iptables -vX
   iptables -vF
    
   # nat and masquerading -t refers to table
   iptables -vt nat -F
   iptables -vt nat -X
    
   # mangling TCP header
   iptables -vt mangle -F
   iptables -vt mangle -X
    
   # reset policies -P refers to policies
   iptables -vP OUTPUT ACCEPT
    
   # turn off routing
   # echo 0 > /proc/sys/net/ipv4/ip_forward
    
   # turn on routing
   echo 1 > /proc/sys/net/ipv4/ip_forward
    
   ###### Dit is heel belangrijk in je script -- 
   ###### dan zie je wat je aan het doen bent:
   #
   ##>> my network interfaces: enp0s3 = 10.104.200.254/16 >> buiten
   ##>> my network interfaces: enp0s8 = 192.168.200.254/24 >> binnen
    
   ### implement NAT routing
   #
   ## NAT routing - enp0s3 is buiten en een unprotected network
   #  het ip address aan de buitenkant van onze firewall is 10.104.200.254 (outside address)
   #
   iptables -vt nat -A POSTROUTING -o enp0s3 -j SNAT --to 10.104.200.254
    
   ## INPUT chain lo + ports 10022
   iptables -vP INPUT DROP
   iptables -vA INPUT -i lo -j ACCEPT
   iptables -vA INPUT -p TCP --dport 10022 -j ACCEPT
   iptables -vA INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
   #### Destination NAT -
   iptables -vP FORWARD DROP
   ## destination forward ports
   iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
   iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
   ## port 10122 >> web101:22
   iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.200.101:22
   iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT
   ## port 10222 >> web102:22
   iptables -vt nat -A PREROUTING -p TCP --dport 10222 -j DNAT --to 192.168.200.102:22
   iptables -vA FORWARD -p TCP --dport 10222 -j ACCEPT
   ## port 8081  >> web101:80
   iptables -vt nat -A PREROUTING -p TCP --dport 8081 -j DNAT --to 192.168.200.101:80
   iptables -vA FORWARD -p TCP --dport 8081 -j ACCEPT
   ## port 8082 >> web102:80
   iptables -vt nat -A PREROUTING -p TCP --dport 8082 -j DNAT --to 192.168.200.102:80
   iptables -vA FORWARD -p TCP --dport 8082 -j ACCEPT
   ### forward related established
   iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    
   ### PRINT iptables configuration
   ###
   #
   echo ">>>>> iptables -n -L"
   iptables -n -L
   echo "--------------"
   #echo ">>>>> iptables -S"
   #iptables -S 
   #echo "--------------"
   echo ">>>>> iptables -t nat -L"
   iptables -t nat -L
   echo "--------------"
   #echo ">>>>> iptables -t mangle -L"
   #iptables -t mangle -L
   #echo "--------------"
   echo "routing set: " `cat /proc/sys/net/ipv4/ip_forward`
   echo "=============="

   Flushing chain `INPUT'
   Flushing chain `FORWARD'
   Flushing chain `OUTPUT'
   Flushing chain `PREROUTING'
   Flushing chain `INPUT'
   Flushing chain `OUTPUT'
   Flushing chain `POSTROUTING'
   Flushing chain `PREROUTING'
   Flushing chain `INPUT'
   Flushing chain `FORWARD'
   Flushing chain `OUTPUT'
   Flushing chain `POSTROUTING'
   SNAT  all opt -- in * out enp0s3  0.0.0.0/0  -> 0.0.0.0/0   to:10.104.200.254
   ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10022
   ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   state RELATED,ESTABLISHED
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:22
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:80
   DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10122 to:192.168.200.101:22
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10122
   DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10222 to:192.168.200.102:22
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10222
   DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8081 to:192.168.200.101:80
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8081
   DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8082 to:192.168.200.102:80
   ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8082
   ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   state RELATED,ESTABLISHED
   >>>>> iptables -n -L
   Chain INPUT (policy DROP)
   target     prot opt source               destination         
   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022
   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    
   Chain FORWARD (policy DROP)
   target     prot opt source               destination         
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10122
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10222
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8081
   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination         
   --------------
   >>>>> iptables -t nat -L
   Chain PREROUTING (policy ACCEPT)
   target     prot opt source               destination         
   DNAT       tcp  --  anywhere             anywhere             tcp dpt:10122 to:192.168.200.101:22
   DNAT       tcp  --  anywhere             anywhere             tcp dpt:10222 to:192.168.200.102:22
   DNAT       tcp  --  anywhere             anywhere             tcp dpt:tproxy to:192.168.200.101:80
   DNAT       tcp  --  anywhere             anywhere             tcp dpt:8082 to:192.168.200.102:80
    
   Chain INPUT (policy ACCEPT)
   target     prot opt source               destination         
    
   Chain OUTPUT (policy ACCEPT)
   target     prot opt source               destination         
    
   Chain POSTROUTING (policy ACCEPT)
   target     prot opt source               destination         
   SNAT       all  --  anywhere             anywhere             to:10.104.200.254
   --------------
   routing set:  1
   ==============