Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

iptables help needed
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables help needed

MrEdMrEd Member
in Help

Hi everyone. I am a bit confused with iptables and would like someone with better knowledge to help me if possible. As with foreign language, it usually is - you can read/understand, but you can't write/say something, so the same goes with the iptables for me :)

I have a home server and for ability to connect to it from my work I use port multiplexing on port 443 (sslh to be short). I already asked in sslh github (https://github.com/yrutschle/sslh/issues/134) for help, but noone seams to react, so maybe LET will have some talented guys :)

Will repeat the information here for someone if e.g. github repository would be deleted and someone comes from google with similar problem.

My /etc/sslh.cfg looks like this:

verbose: false;
foreground: false;
inetd: false;
numeric: false;
transparent: true;
timeout: "2";
user: "nobody";
pidfile: "/var/run/sslh.pid";

listen:
(
    { host: "0.0.0.0"; port: "4443"; },
    { host: "0.0.0.0"; port: "4080"; }
);

protocols:
(
     { name: "ssh"; service: "ssh"; host: "192.168.1.202"; port: "222"; },
     { name: "http"; host: "192.168.1.202"; port: "8080"; },
     { name: "ssl"; host: "192.168.1.202"; port: "8443"; },
     { name: "anyprot"; host: "192.168.1.202"; port: "8443"; }
);

The transparent mode means that apache or sshd sees external IP and not internal as the source of connection. For this to work there is a block of iptables (documented in sslh):

iptables -t mangle -N SSLH
iptables -t mangle -A  OUTPUT --protocol tcp --out-interface eth0 --sport 222 --jump SSLH
iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH
iptables -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

This works perfectly. But then I connected mine server with my brothers home server, and wanted to have a windows share on my PC to be accessable on his. For the connection I used peervpn, but I guess this does not matter, whatever VPN method would be used, the result would be the same.

The windows share is on 192.168.1.200 and my server is on 192.168.1.202. The vpn network is 10.8.1.0/16, and my servers IP address is 10.8.1.4. My brothers is 10.8.1.10.

ifconfig (if interested):

eth0      Link encap:Ethernet  HWaddr 52:54:00:a7:bb:01
          inet addr:192.168.1.202  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::5054:ff:fea7:bb01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2984 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2218654 (2.2 MB)  TX bytes:637484 (637.4 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1912 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1912 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:197908 (197.9 KB)  TX bytes:197908 (197.9 KB)

peervpn0  Link encap:Ethernet  HWaddr 06:34:20:3d:f9:e6
          inet addr:10.8.1.4  Bcast:10.8.255.255  Mask:255.255.0.0
          inet6 addr: fe80::434:20ff:fe3d:f9e6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:1799 (1.7 KB)  TX bytes:1356 (1.3 KB)

For windows share to be nat'ed iptables looks like this:

iptables -t nat -A PREROUTING -p udp --dport 137 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:137
iptables -t nat -A PREROUTING -p udp --dport 138 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:138
iptables -t nat -A PREROUTING -p tcp --dport 139 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:139
iptables -t nat -A PREROUTING -p tcp --dport 445 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:445
iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

On the brothers server windows share iptables looks the same but the IP is not 192.168.1.200 but 10.8.1.4.

Both iptables blocks separately works great, but when combined together, the iptables -A POSTROUTING -t nat -j MASQUERADE messes sslh part and I am not able to connect to my server anymore.

How should I change it so I would still have possibility to connect to my server through sslh and still have the windows share nat'ed?

Thanks in advance.

Comments

  • bsdguybsdguy Member
    edited August 2017

    I don't know sslh and I don't care nor do I know a lot or care about windows so my engagement here will be low.

    What I see, however, is that you got things mixed up. A VPN answers the question "How to connect a remote PC and make it look as if it was on the local LAN", that sslh thingy, however, seems to answer the question "How can I use one port for multiple protocols (typically ssl/tls based ones it seems)".

    As you and your brother probably don't run diverse public faced servers on your home networks I wonder why you complicate things using sslh in the first place. Also note that you can access brothers, say, home httpd via vpn.

  • MrEdMrEd Member

    First things first.

    sslh is used for port multiplexing, or in other words like @bsdguy said, use one port for multiple protocols.

    I run apache with owncloud on the server which I access and would like to access from anywhere. Using ssl is easy with Lets Encrypt. It just adds a little bit of more security feel.

    On the other hand, I sometimes have to break through my work firewall, so using 443 port as SSH allows me to have a ssh tunnel.

    On the other hand, I wanted to have a contained VPN in between some of my VPSs, I just added two more servers to the VPN - mine and my brothers. So these servers (10.8.1.0/16 network) is just a layer in between our networks. Here comes the NAT forwarding. And it works great on brothers side, because he does not need mangle rules in the iptables. On my side, when I run the MASQUERADE rule, it breaks the mangle rules and then my port multiplexing does not work anymore. But then NAT forwarding works and he can access windows share easily.

    I hope I now answered the reasons behind.

  • nullnotherenullnothere Member

    @MrEd said: On my side, when I run the MASQUERADE rule, it breaks the mangle rules

    Since you only need the MASQUERADE for the Windows machine, you can presumably limit the rule to only apply to the VPN (outgoing) interface. Does that solve your problem?

    iptables -t nat -A POSTROUTING -o peervpn0 -j MASQUERADE

    Also, you could probably use SNAT since your VPN configuration has a static IP (again thereby limiting the rule only to the Windows machine's destination IP and the remove VPN end point source IP).

    Hopefully this will help you at least try out a few configs and sort it out based on whichever works best.

  • MrEdMrEd Member

    With ideas from some friends I finally got the result I was looking for:
    change the last MASQUERADE rule to
    iptables -t nat -A POSTROUTING -s 10.8.1.4/16 -o eth0 -j MASQUERADE

    It only applies to NAT and is limited to network and interface. In this case it does not mess with other rules.

Sign In or Register to comment.