linux – SNAT and DNAT iptables on the same incoming packet

Is it possible to SNAT and DNAT on the same incoming packet?

iptables -t nat -A PREROUTING -d  --dport  -j SNAT --to 
iptables -t nat -A PREROUTING -d  --dport  -J DNAT --to 

Do the above rules cling and dnat the same package? if not, what is the way to achieve it. An example would be very useful. Thank you!

linux – iptables – where are they generated or loaded in the boot sequence?

I can't understand how iptables is loaded at startup on a centos7.7 system.
Iptables-services is not installed. I am aware of the switch to firewalld, but I want to know how the kernel implements its iptables rules.

The important thing for me is that the FORWARD chain has a rejection rule from anywhere:

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

which removes all packages that are not specifically mentioned in the previous rules:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.100.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.100.0/24     anywhere
...
ACCEPT     all  --  anywhere             192.168.101.0/24
ACCEPT     all  --  192.168.101.0/24     anywhere

It's pretty easy to fix – I just run this:

iptables -I FORWARD 2 -j ACCEPT -s 192.168.0.0/16

But I would like to know how these rules are loaded – and if possible, how to modify this process.

Grepping recursively in / etc / systemd and in / usr / lib / systemd for iptables returns nothing. I have come to the conclusion that the kernel decides on a default set of rules at startup, based on the network configuration. (I disabled NetworkManager). Nothing in the rc.d hierarchy. Does the kernel say "aha I have these interfaces, I will allow the transfer between them"?

I have experimented, rebooted several times (in fact, a virtual machine might be a better platform for experimenting, it seems to me), I have read the manual page for iptables and various resources Internet, which mainly say how to load the rules you want, usually using iptables-services. I agree to create the rules I want, but I don't know where the default rules are created.

There is also nothing referring to iptables in / etc / sysconfig / network-scripts.

given just an IP address, calculate an IPTABLES DROP statement

I have a serious brain block to understand this topic.

The short story.

I connect botnet access to a server with 500 domains.
For example, many robots search for WordPress sites.
I connect when I generate a 404, I have thousands a day.
I generate a report of the main violators with the IP address of $ _SERVER (& # 39; REMOTE_ADDR & # 39;) and I want to block them.
I know bots can change the address they use, but, I'm guided by this principle, even the weakest link in your set of security tools could be useful.

The fields of my journal are as follows

DateStamp, 404, an indicator I use for further analysis, URL_String, ServerName Constant, URL, remote ip constant, BAD_IP from $ _SERVER (& # 39; REMOTE_ADDR & # 39;)

Example log report entries


2020-03-02 00:09:24,404,1,Wp-content/plugins,SERVER_NAME,ablog1.com,remote ip,163.172.116.48
2020-03-02 00:09:48,404,1,page,SERVER_NAME,www.abloganother.com,remote ip,5.9.77.102
2020-03-02 00:09:50,404,1,Wp-loginphp/index,SERVER_NAME,athirdblogcom,remote ip,165.227.7.157

I want to generate IPTABLES rules for the worst offenders

Example

iptables -A INPUT -s 163.172.116.48/24 -j DROP
iptables -A INPUT -s 5.9.77.102/24 -j DROP
iptables -A INPUT -s 165.227.7.157/24 -j DROP

The slash / 24 is just a guess. I want to know a PHP or another set of functions that I can call to generate the CIDR for a given IP address

However, I cannot really understand what CIDR represents.
I watched iptab and ipcalc. I looked at tools like this: http://www.subnet-calculator.com/

I'm still confused.

1 option I have is to generate the CDIR when I connect the 404,
If I knew how to write the calculations for the CDIR
I would just calculate it by writing a function called calc_CDIR ($ _ SERVER (& # 39; REMOTE_ADDR & # 39;));

2) I would gladly use any other calculation program, function, etc.

But alas, I don't even know now how to validate it. here's a snipet where i write in the journal when i show a 404

if ($log_error)
{
if(!empty($page)) {
$msg1 = date('Y-m-d H:i:s') . ',404,1,'. $page . ',SERVER_NAME,' . $_SERVER('SERVER_NAME') .',remote ip,' . (string)$_SERVER('REMOTE_ADDR');
if(!error_log( $msg1. "n", 3, $The404s)) {
log_message('debug', "error_log failed " . $The404s);
}
} else {
$msg2 = date('Y-m-d H:i:s') . ',404,2,page not set,SERVER_NAME,' . $_SERVER('SERVER_NAME') . ',remote ip,' . (string)$_SERVER('REMOTE_ADDR');
if(!error_log( $msg2. "n", 3, $The404s)) {
log_message('debug', "error_log failed " . $The404s);
}
}

I am 66 years old, I started to program on IBM mainframes. I have written UNIX daemons and Windows DLLs, but I have never had to understand Internet addressing.

My best guess is that I could use https://www.php.net/manual/en/function.ip2long.php, but, like I said, I don't know how to validate my results

Anything you could tell me would be helpful.

I wrote my first program in 15 minutes. It took me 3 hours to grab it.
I wrote my first BASH script in 5 minutes. It took me a day to find out that I had to put one. (period) in front to have it executed.

iptables – Configuration to use choose the hardware interface for the request?

I have a Linux machine (OS Debian 10), with 3 hardware interfaces connected to the Internet, 2 being USB modems: ifconfig gives -> https://termbin.com/st3r

wlan0 is the default interface here, when I try: curl –interface ppp1 ifconfig.me or curl –interface ppp0 ifconfig.me the request times out, with sudo, sudo curl –interface ppp1 ifconfig. gives me an answer but the equivalent for ppp0 expires, what are the good routing rules to add to be able to select the hardware interface to route?

Real routing rules: https://termbin.com/wi9b

vpn – Openvpn Limit LAN access with (client-config-dir) & iptables

I have a VPC network running on AWS and I have configured an OpenVPN server to connect to the local machines behind the VPC. However, I would like to restrict LAN access by client.

+---------+             +---------+
| client1 |             | client2 |
+---------+             +---------+
                      /
            +---------+
            | server  |
            +---------+
                 |
            +---------+
            |   vpc   |
            +---------+
                 |
            +---------+
            |  local  | 
            +---------+
+--------------------------+
| VPC  | subnet  | region  |
+------+---------+---------+
| vpc0 | 10.0/16 | region0 |
+------+---------+---------+

With my current openvpn configuration, I can connect to all the instances behind the VPC. However, I need that client1 can only access the machine 10.10.0.118 and client2 can only access the machine 10.10.0.222. I played with the ccd directive and iptables but can't wrap my head around it.

My Openvpn server.conf

port 1194

proto udp

dev tun0

ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
topology subnet

server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"

push "route 10.10.0.0 255.255.255.0"

ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
#client-to-client
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

Routing table for server

0.0.0.0         10.10.1.1       0.0.0.0         UG        0 0          0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.10.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.1.1       0.0.0.0         255.255.255.255 UH        0 0          0 eth0

CCD FOR CUSTOMER

push-reset
ifconfig-push 10.8.0.2 255.255.0.0
iroute 10.10.0.0 255.255.0.0


IPTABLE FOR CUSTOMER

iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.10.0.118 -j ACCEPT

My client.ovpn connects to the server, but I cannot send a ping or ssh request in 10.10.0.118. Without the ccd directive i can. If anyone can point me in the right direction, it would be much appreciated.

networking – Add iptables programmatically using Java for port forwarding

Is there a method (using the java.net package or a protocol) that could be used by a Java-based client application in the intranet to map the port to the residential gateway iptable ( router) to allow access from the Internet? I noticed that a chat application could automatically add a range of ports to the router for port forwarding. I don't know if a pure Java application could do this or not. Or should you use libiptc + JNI to perform this function?

linux networking – FORWARD and nat iptables with certain ports

I want to limit eno1 to Internet service(like  80,443).
below setting is OK for all service.

iptables -P FORWARD DROP

iptables -A FORWARD -i eno1 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eno1 -m state --state ESTABLISHED,RELATED   -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE


I want something like ->
iptables -A FORWARD -p tcp -i eno1 -o ppp0  -m multiport  --dports 80,443,53 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eno1 -m state --state ESTABLISHED,RELATED   -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
but not working, How could I do?

iptables v1.8.2 (nf_tables): failure of RULE_APPEND (invalid argument): rule in the chain OUTPUT

on debian 10 trying to apply the following iptables rules:

ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100


iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN 
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN 
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 
iptables -t mangle -A PREROUTING -j V2RAY 


iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN 
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN 
iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff   
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1  
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1   
iptables -t mangle -A OUTPUT -j V2RAY_MASK

but finally an error:

 iptables v1.8.2 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain OUTPUT

iptables – Automated input of variables?

I currently use -j DROP in my Linux-based router commands to keep international spammers out of my Windows Server 2016 server, and I would like to block entire countries where spammers are from (I'm aware of the impact on the response time it will have). Since my server is region specific anyway, no one outside of the United States needs to access it. Here is an example of what is in my command page on my router:

iptables -I FORWARD -s 218.0.0.0/8 -j DROP

iptables -I FORWARD -s 112.0.0.0/8 -j DROP

iptables -I FORWARD -s 59.0.0.0/8 -j DROP

iptables -I FORWARD -s 58.22.0.0/15 -j DROP

iptables -I FORWARD -s 208.88.96.0/21 -j DROP

iptables -I FORWARD -s 117.0.0.0/8 -j DROP

iptables -I FORWARD -s 125.0.0.0/8 -j DROP

iptables -I FORWARD -s 192.245.43.0/24 -j DROP

iptables -I FORWARD -s 121.0.0.0/8 -j DROP

iptables -I FORWARD -s 124.0.0.0/8 -j DROP

iptables -I FORWARD -s 123.0.0.0/8 -j DROP

iptables -I FORWARD -s 122.0.0.0/8 -j DROP

iptables -I FORWARD -s 116.0.0.0/8 -j DROP

iptables -I FORWARD -s 113.0.0.0/8 -j DROP

China alone has more than 8,000 IP scopes that I would like to add, but I don't want to have to manually create each line with the applicable IP scopes. Is there a type of script or website on which I can just paste a list of all the CIDR IP 8000+ scopes that will create my orders to copy and paste into my router? I have to believe that there is a way to automate this redundant coding.
Thank you!

autodiscovery – Removes autodiscover.xml with iptables does not work

I am trying to block all autodiscover.xml requests to our server using iptables. Here's what I've entered so far, but they don't work. See the following log. Requests keep coming.

iptables -I INPUT -p tcp --dport 80 -m string --string "POST /autodiscover" --algo bm -j DROP
iptables -I INPUT -p tcp --dport 443 -m string --string "POST /autodiscover" --algo bm -j DROP

This translates to the top of the INPUT chain:

DROP       tcp  --  anywhere             anywhere             tcp dpt:http STRING match  "POST /autodiscover" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:https STRING match  "POST /autodiscover" ALGO name bm TO 65535

However, I still receive requests in the Apache journal.

(09/Jan/2020:17:04:31 -0500) "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"
(09/Jan/2020:17:12:59 -0500) "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"