Friday, July 18, 2014

iptables port redirection example with REDIRECT target and test the rule

iptables REDIRECT target example with rule testing

0)
Create a Virtual Machine and add following iptables steps there.

1)
List all chains and rules in the NAT table
#sudo iptables -t nat -L -nv

2)
List all rules in the PREROUTING chain of NAT table
#sudo iptables -t nat -L PREROUTING -nv

3)
Add a port redirect rule to PREROUTING chain of NAT table
#sudo iptables -t nat -A PREROUTING -p tcp --dport 8083 -j REDIRECT --to-ports 8085

* All incoming traffic on port 8083 redirect to port 8085

* -t nat ==> Name of the table.
* -A PREROUTING ==> Name of the chain where we need to add the rule.

* -p tcp ==> Name of the Match
* -p tcp --dport 8083 ==> Name of the Match with match options
http://www.iptables.info/en/iptables-matches.html#TCPMATCHES
http://www.iptables.info/en/iptables-matches.html

* -j REDIRECT ==> Name of the Target/Jump
* REDIRECT --to-ports 8085 ==> Name of the Target/Jump with options
http://www.iptables.info/en/iptables-targets-and-jumps.html#REDIRECTTARGET
http://www.iptables.info/en/iptables-targets-and-jumps.html

* We can't test ping, since we specified "-p tcp" in the rule. If you want test ping, please remove "-p tcp" from the rule or replace "-p tcp" with "-p icmp".

4)
Listen for an incoming connection/packet to port 8085
#netcat -l 8085

5)
Send a packet to port 8085 from same machine (127.0.0.1/localhost).
#telnet 127.0.0.1 8083

* This will not work and you will get error like "telnet: Unable to connect to remote host: Connection refused"
* We cannot test our rules from localhost. we shoult use other host or setup REDIRECT rule in OUTPUT chain of NAT table
* http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg





NAT table
=======

Iptable’s NAT table has the following built-in chains.

http://www.thegeekstuff.com/2011/01/iptables-fundamentals/ 

a)
PREROUTING chain
Alters packets before routing (before reaching routing table, route -n). i.e Packet translation happens immediately after the packet comes to the system (and before routing). This helps to translate the destination ip address of the packets to something that matches the routing on the local server. This is used for DNAT (destination NAT).

b)
POSTROUTING chain
Alters packets after routing (before reaching routing table, route -n). i.e Packet translation happens when the packets are leaving the system. This helps to translate the source ip address of the packets to something that might match the routing on the desintation server. This is used for SNAT (source NAT).

c)   
OUTPUT chain
NAT for locally generated packets on the firewall.<==IMP

6)
Send a packet from different host/machine. I am going to telnet from my host machine to port 8083 of our Virtual Machine where we added this iptable rules.
#telnet 192.168.56.101 8083

* This should work and you will get the messages send via telnet from host,  to port 8083 of virtual machine, in port 8085 of virtual machine.







7)
Delete rule

#sudo iptables -t nat -D PREROUTING -p tcp --dport 8083 -j REDIRECT --to-ports 8085

8)
List all rules in the PREROUTING chain of NAT table

#sudo iptables -t nat -L PREROUTING -nv



No comments:

Post a Comment