how to do this iptables setup? - Linux版

本页内容为未名空间相应帖子的节选和存档，一周内的贴子最多显示50字，超过一周显示500字访问原贴

Linux版 - how to do this iptables setup?

相关主题
● trick to use JMX on EC2 (转载)	● 一道面试题求解
● help: iptables 问题	● VM中routing table消失的问题
● how to do this Iptables setting?	● hyper-v的网络怎么设呀？ (转载)
● linux 网络高手请帮忙，help config OpenWrt	● iptables高手看过来，哪些端口是必需的？
● [求教]: openvpn over http-proxy dns 设置问题 (转载)	● linux能不能限制一天最多错误登录次数？
● 请教，如果建立家里电脑和学校电脑的连接。	● iptables禁用的ip存在哪里？
● 用一台ubuntu做proxy?	● what's the IPTABLE command to limit the webpage connections ?
● router 不工作，什么别的办法限制访问？	● SSH弱问

相关话题的讨论汇总
话题: ip话题: box话题: nat话题: iptables话题: external

进入Linux版参与讨论

(共1页)

c******n
发帖数: 4965

I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot

c******n
发帖数: 4965

figured out, need one more line
sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
SNAT --to-source 127.0.0.0

to

【在 c******n 的大作中提到】

: I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
: the 22 port of my local box instead,
: I tried the following but it doesn't work
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
: DNAT --to-destination 127.0.0.0
: sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
: to-source $EXTERNAL_BOX_IP
: any ideas?
: Thanks a lot

c******n
发帖数: 4965

actually it didn't work

【在 c******n 的大作中提到】

: figured out, need one more line
: sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
: SNAT --to-source 127.0.0.0
:
: to

j*a
发帖数: 14423

read this bible:
http://www.frozentux.net/documents/iptables-tutorial/

to

【在 c******n 的大作中提到】

z**r
发帖数: 17771

it should be
sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
DNAT --to-destionation 127.0.0.1

to

【在 c******n 的大作中提到】

l*****u
发帖数: 12114

你是试图做FORWARDING？

to

【在 c******n 的大作中提到】

c******n
发帖数: 4965

i don't think so, PREROUTING is for incoming messages,
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE

j

【在 z**r 的大作中提到】

: it should be
: sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
: DNAT --to-destionation 127.0.0.1
:
: to

c******n
发帖数: 4965

but here's what I dont' understand:
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it should be set to the lo interface, so MASQUERADE should set
its source to be 127.0.0.1 ???
also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
CLIENT_BOX, this is fine. but how is my application able to receive this
packet in its TCP connection? my sshd is listening on localhost only, but
the packet is addressed to REAL_IP_OF_CLIENT_BOX
my ssh client opens a TCP connection to $EXTERNAL_BOX_IP, so the tcp
connection expects to

-j

【在 c******n 的大作中提到】

: i don't think so, PREROUTING is for incoming messages,
: here the messages are generated by my local process ( ssh client )
: I got it working in another post.
: but here it is
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
:
: j

l*****u
发帖数: 12114

不管你想做什么，只要有那个127.0.0.1就不应该OK。

so
set
PORT

【在 c******n 的大作中提到】

: but here's what I dont' understand:
: I checked the packets in wireshark.
: the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
: I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
: after DNAT changes the dest IP, it goes through another routing decision, so
: at this step it should be set to the lo interface, so MASQUERADE should set
: its source to be 127.0.0.1 ???
: also wireshark shows that the return ip is $EXTERNAL_BOX_IP to REAL_IP_OF_
: CLIENT_BOX, this is fine. but how is my application able to receive this
: packet in its TCP connection? my sshd is listening on localhost only, but

c******n
发帖数: 4965

you are wrong : "就不应该OK"
It actually worked, I just don't understand how it worked

【在 l*****u 的大作中提到】

: 不管你想做什么，只要有那个127.0.0.1就不应该OK。
:
: so
: set
: PORT

相关主题
● 请教，如果建立家里电脑和学校电脑的连接。	● 一道面试题求解
● 用一台ubuntu做proxy?	● VM中routing table消失的问题
● router 不工作，什么别的办法限制访问？	● hyper-v的网络怎么设呀？ (转载)
进入Linux版参与讨论

l*****u
发帖数: 12114

你这个SCRIPT在哪里运行？
1. 在127.0.0.1上？那怎么可能抓到EXT_IP上的包？
2. 在EXT_IP上？那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
这些是基础的网络知识。至于你说WORK了，基本上别的巧合。

【在 c******n 的大作中提到】

: you are wrong : "就不应该OK"
: It actually worked, I just don't understand how it worked

j*a
发帖数: 14423

兄弟，你还是用中文写吧
那个tutorial你看懂了一点但是和ssh tunnel混淆了
你这里面只需要用到NAT OUTPUT，不需要NAT POSTROUTING

so
set

【在 c******n 的大作中提到】

z**r
发帖数: 17771

老大，您把问题能一次说清楚吗？

-j

【在 c******n 的大作中提到】

c******n
发帖数: 4965

just run this on your linux box,
################################
# following is yahoo.com address
EXTERNAL_BOX_IP=67.195.160.76
PORT=10000
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
###############################
then do nc -l 10000
as a fake server
then do nc 67.195.160.76 10000
and type a bunch of characters
you will see that the listener nc did get the characters you typed at the nc
client
so it worked, but I don't see why

【在 l*****u 的大作中提到】

: 你这个SCRIPT在哪里运行？
: 1. 在127.0.0.1上？那怎么可能抓到EXT_IP上的包？
: 2. 在EXT_IP上？那么那个127.0.0.1指的是EXT_IP. 鬼才知道是转到那个UNIT的。
: 这些是基础的网络知识。至于你说WORK了，基本上别的巧合。

c******n
发帖数: 4965

民工, please just look at my last post,
that complete script is easier than explaining the problem

【在 z**r 的大作中提到】

: 老大，您把问题能一次说清楚吗？
:
: -j

l*****u
发帖数: 12114

貌似明白一点了，是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
_IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
的包都从你这个机子这儿过。

-j
nc

【在 c******n 的大作中提到】

: just run this on your linux box,
: ################################
: # following is yahoo.com address
: EXTERNAL_BOX_IP=67.195.160.76
: PORT=10000
: sudo iptables -t nat -F
: sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
: DNAT --to-destination 127.0.0.1
: sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
: ###############################

c******n
发帖数: 4965

yes, I only care about my tests on the local box.
the script is used in the context of JMX, please see my previous JMX post.
what I don't understand is basically how kernel is able to properly route
the response packet. it's probably easier to use a plain NAT example.
let's say my box is in a private network ,
my_box 192.168.1.2
||
||
\ /
\/
gateway_box 192.168.1.1 , public_ip : 111.222.333.888
||
||
\ /
\/
yahoo.com 111.222.333.444
on a regular NAT case, my_box sends to yahoo.com, the packet is routed to
gateway_box, gateway_box forwards it to yahoo.com, using the FORWARD chain.
gateway_box also applies MASQUERADE so that the source_ip of the packet
becomes the public ip of gateway.
from yahoo.com's view, it is really talking to the gateway_box, and sends a
response to 111.222.333.888.
my question is, when the gateway receives the response packet, how is it
able to figure out, to change the target ip (111.222.333.888) to which IP on
its internal network? it has to usesome sort of lookup tables, and the
only available key for that lookup table is the source port

EXT

【在 l*****u 的大作中提到】

: 貌似明白一点了，是说把从localhost 127.0.0.1上对EXT_IP port 22的包全部转发回
: localhost 127.0.0.1 port 22? 貌似很easy呀。如果是hijack局域网内所有机子对EXT
: _IP port22的包都发回某一个机子的port22, 你这个script就没有用, 除非局域网所有
: 的包都从你这个机子这儿过。
:
: -j
: nc

c******n
发帖数: 4965

looks my guess is right
http://en.wikipedia.org/wiki/Network_address_translation#NAT_an
"
To avoid ambiguity in the handling of returned packets, a one-to-many NAT
must alter higher level information such as TCP/UDP ports in outgoing
communications and must maintain a translation table so that return packets
can be correctly translated back. RFC 2663 uses the term NAPT (network
address and port translation) for this type of NAT. Other names include PAT
(port address translation), IP masquerading, NAT Overload and many-to-one
NAT. Since this is the most common type of NAT it is often referred to
simply as NAT.

【在 c******n 的大作中提到】

: yes, I only care about my tests on the local box.
: the script is used in the context of JMX, please see my previous JMX post.
: what I don't understand is basically how kernel is able to properly route
: the response packet. it's probably easier to use a plain NAT example.
: let's say my box is in a private network ,
: my_box 192.168.1.2
: ||
: ||
: \ /
: \/

(共1页)

进入Linux版参与讨论

相关主题
● SSH弱问	● [求教]: openvpn over http-proxy dns 设置问题 (转载)
● 被攻击了咋办？	● 请教，如果建立家里电脑和学校电脑的连接。
● Ubuntu的firewall?	● 用一台ubuntu做proxy?
● 家里的网络	● router 不工作，什么别的办法限制访问？
● trick to use JMX on EC2 (转载)	● 一道面试题求解
● help: iptables 问题	● VM中routing table消失的问题
● how to do this Iptables setting?	● hyper-v的网络怎么设呀？ (转载)
● linux 网络高手请帮忙，help config OpenWrt	● iptables高手看过来，哪些端口是必需的？

相关话题的讨论汇总
话题: ip话题: box话题: nat话题: iptables话题: external

#	版面	帖数(主题数)
-	全站	4871 (796)
1	Military	3777 (569)
2	Stock	341 (51)
3	Joke	117 (17)
4	History	116 (3)
5	Automobile	100 (9)
6	USANews	55 (9)
7	Midlife	45 (1)
8	Headline	41 (41)
9	Dreamer	33 (13)
10	FleaMarket	32 (20)
11	Living	30 (7)

boards

未名新帖统计// 7月16日

历史上的今天