All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
iptables help needed
Hi everyone. I am a bit confused with iptables and would like someone with better knowledge to help me if possible. As with foreign language, it usually is - you can read/understand, but you can't write/say something, so the same goes with the iptables for me
I have a home server and for ability to connect to it from my work I use port multiplexing on port 443 (sslh to be short). I already asked in sslh github (https://github.com/yrutschle/sslh/issues/134) for help, but noone seams to react, so maybe LET will have some talented guys
Will repeat the information here for someone if e.g. github repository would be deleted and someone comes from google with similar problem.
My /etc/sslh.cfg looks like this:
verbose: false; foreground: false; inetd: false; numeric: false; transparent: true; timeout: "2"; user: "nobody"; pidfile: "/var/run/sslh.pid"; listen: ( { host: "0.0.0.0"; port: "4443"; }, { host: "0.0.0.0"; port: "4080"; } ); protocols: ( { name: "ssh"; service: "ssh"; host: "192.168.1.202"; port: "222"; }, { name: "http"; host: "192.168.1.202"; port: "8080"; }, { name: "ssl"; host: "192.168.1.202"; port: "8443"; }, { name: "anyprot"; host: "192.168.1.202"; port: "8443"; } );
The transparent mode means that apache or sshd sees external IP and not internal as the source of connection. For this to work there is a block of iptables (documented in sslh):
iptables -t mangle -N SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 222 --jump SSLH iptables -t mangle -A OUTPUT --protocol tcp --out-interface eth0 --sport 8443 --jump SSLH iptables -t mangle -A SSLH --jump MARK --set-mark 0x1 iptables -t mangle -A SSLH --jump ACCEPT ip rule add fwmark 0x1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100
This works perfectly. But then I connected mine server with my brothers home server, and wanted to have a windows share on my PC to be accessable on his. For the connection I used peervpn, but I guess this does not matter, whatever VPN method would be used, the result would be the same.
The windows share is on 192.168.1.200 and my server is on 192.168.1.202. The vpn network is 10.8.1.0/16, and my servers IP address is 10.8.1.4. My brothers is 10.8.1.10.
ifconfig (if interested):
eth0 Link encap:Ethernet HWaddr 52:54:00:a7:bb:01 inet addr:192.168.1.202 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fea7:bb01/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:7364 errors:0 dropped:0 overruns:0 frame:0 TX packets:2984 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:2218654 (2.2 MB) TX bytes:637484 (637.4 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1912 errors:0 dropped:0 overruns:0 frame:0 TX packets:1912 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:197908 (197.9 KB) TX bytes:197908 (197.9 KB) peervpn0 Link encap:Ethernet HWaddr 06:34:20:3d:f9:e6 inet addr:10.8.1.4 Bcast:10.8.255.255 Mask:255.255.0.0 inet6 addr: fe80::434:20ff:fe3d:f9e6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:27 errors:0 dropped:0 overruns:0 frame:0 TX packets:22 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:1799 (1.7 KB) TX bytes:1356 (1.3 KB)
For windows share to be nat'ed iptables looks like this:
iptables -t nat -A PREROUTING -p udp --dport 137 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:137 iptables -t nat -A PREROUTING -p udp --dport 138 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:138 iptables -t nat -A PREROUTING -p tcp --dport 139 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:139 iptables -t nat -A PREROUTING -p tcp --dport 445 -m conntrack --ctstate NEW -j DNAT --to 192.168.1.200:445 iptables -t nat -A PREROUTING -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A POSTROUTING -t nat -j MASQUERADE
On the brothers server windows share iptables looks the same but the IP is not 192.168.1.200 but 10.8.1.4.
Both iptables blocks separately works great, but when combined together, the iptables -A POSTROUTING -t nat -j MASQUERADE
messes sslh part and I am not able to connect to my server anymore.
How should I change it so I would still have possibility to connect to my server through sslh and still have the windows share nat'ed?
Thanks in advance.
Comments
I don't know sslh and I don't care nor do I know a lot or care about windows so my engagement here will be low.
What I see, however, is that you got things mixed up. A VPN answers the question "How to connect a remote PC and make it look as if it was on the local LAN", that sslh thingy, however, seems to answer the question "How can I use one port for multiple protocols (typically ssl/tls based ones it seems)".
As you and your brother probably don't run diverse public faced servers on your home networks I wonder why you complicate things using sslh in the first place. Also note that you can access brothers, say, home httpd via vpn.
First things first.
sslh is used for port multiplexing, or in other words like @bsdguy said, use one port for multiple protocols.
I run apache with owncloud on the server which I access and would like to access from anywhere. Using ssl is easy with Lets Encrypt. It just adds a little bit of more security feel.
On the other hand, I sometimes have to break through my work firewall, so using 443 port as SSH allows me to have a ssh tunnel.
On the other hand, I wanted to have a contained VPN in between some of my VPSs, I just added two more servers to the VPN - mine and my brothers. So these servers (10.8.1.0/16 network) is just a layer in between our networks. Here comes the NAT forwarding. And it works great on brothers side, because he does not need mangle rules in the iptables. On my side, when I run the MASQUERADE rule, it breaks the mangle rules and then my port multiplexing does not work anymore. But then NAT forwarding works and he can access windows share easily.
I hope I now answered the reasons behind.
Since you only need the MASQUERADE for the Windows machine, you can presumably limit the rule to only apply to the VPN (outgoing) interface. Does that solve your problem?
iptables -t nat -A POSTROUTING -o peervpn0 -j MASQUERADE
Also, you could probably use SNAT since your VPN configuration has a static IP (again thereby limiting the rule only to the Windows machine's destination IP and the remove VPN end point source IP).
Hopefully this will help you at least try out a few configs and sort it out based on whichever works best.
With ideas from some friends I finally got the result I was looking for:
change the last MASQUERADE rule to
iptables -t nat -A POSTROUTING -s 10.8.1.4/16 -o eth0 -j MASQUERADE
It only applies to NAT and is limited to network and interface. In this case it does not mess with other rules.