Docker and NAT to LAN on the same computer with iptables

I'm using iptables on my lab server (Ubuntu 18.04) to perform NAT on the rest of the devices on my network:

-t nat -A PREROUTING -i eno1 -p tcp -m tcp -dport 23 -d DNAT -to-destination 10.0.1.2:22
-t nat -A POSTROUTING -o eno1 -j MASQUERADE

-A FORWARD -s 10.0.0.0/24 -i eno2 -o eno1 -m conntrack -ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED, ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.1.2 -p tcp -m tcp -dport 22 -j ACCEPT

In the past, it worked well. However, it broke down when I installed Docker. This is certainly due to Docker's rewrite of all my iptables rules. By default, some of my rules survive:

% sudo iptables -t nat -v -L
PREROUTING in chain (ACCEPT policy 257 packets, 36440 bytes)
pkts bytes target prot opt ​​in out destination source
6 1384 DNAT tcp - eno1 does not matter where any dpt tcp: telnet to: 10.0.1.2: 22
133 8676 DOCKER all-n 'anywhere anywhere anytime anywhere ADDRTYPE matches LOCAL dst type

INPUT string (ACCEPT policy 122 packets, 8474 bytes)
pkts bytes target prot opt ​​in out destination source

OUTPUT string (ACCEPT strategy 42 packets, 3008 bytes)
pkts bytes target prot opt ​​in out destination source
0 0 DOCKER all - anywhere - anywhere! 127.0.0.0/8 ADDRTYPE is dst-type LOCAL

Chain POSTROUTING (ACCEPT strategy 21 packets, 2395 bytes)
pkts bytes target prot opt ​​in out destination source
0 0 MASQUERADE everything - everything! Docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE everything - everything! Br-643d6580203c 172.18.0.0/16 Anywhere
39 2900 MASQUERADE ALL - ANYONE IN ANYWHERE ANYWHERE ANYWHERE
0 0 MASQUERADE tcp - any type 172.18.0.2 172.18.0.2 tcp dpt: 8443

Chain DOCKER (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 RETURN all - docker0 anywhere from anywhere
0 0 BACK all - br-643d6580203c anywhere from anywhere
0 0 DNAT tcp -! Br-643d6580203c anywhere from anywhere anytime tpc dpt: https to: 172.18.0.2: 8443

% sudo iptables -v -L
INPUT string (ACCEPT strategy 600 packets, 44910 bytes)
pkts bytes target prot opt ​​in out destination source

Chain FORWARD (strategy DROP 135 packages, 27,966 bytes)
pkts bytes target prot opt ​​in out destination source
176 32752 DOCKER-USER all - anywhere, anywhere, any where
176 32752 DOCKER-INSULATION-STAGE-1 all - anywhere, any where
0 0 ACCEPT any - any docker0 anywhere anywhere ctstate RELATED, ESTABLISHED
0 0 DOCKER all - n any docker0 anywhere from anywhere
0 0 ACCEPT all - docker0! Docker0 does not matter where anywhere
0 0 ACCEPT all - docker0 docker0 anywhere from anywhere
0 0 ACCEPT everything - any br-643d6580203c anywhere from anywhere ctstate BOUND, ESTABLISHED
0 0 DOCKER all - any br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - br-643d6580203c! Br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - br-643d6580203c br-643d6580203c anywhere from anywhere
0 0 ACCEPT all - eno2 eno1 10.0.0.0/24 anywhere ctstate NEW
23 2682 ACCEPT ANY - N 'ANYWHERE ANYWHERE ANYWHERE CTSTATE BOUND, ESTABLISHED
6 1384 ACCEPT tcp - no matter which dpt tcp dpt: ssh

OUTPUT string (ACCEPT policy 505 packets, 66607 bytes)
pkts bytes target prot opt ​​in out destination source

Chain DOCKER (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 ACCEPT tcp -! Br-643d6580203c br-643d6580203c anywhere 172.18.0.2 tcp dpt: 8443

Chain DOCKER-INSULATION-STAGE-1 (1 references)
pkts bytes target prot opt ​​in out destination source
0 0 DOCKER-INSULATION-STAGE-2 all - docker0! Docker0 does not matter where anywhere
0 0 DOCKER-INSULATION-STAGE-2 all - br-643d6580203c! Br-643d6580203c anywhere from anywhere
176 32752 RETURN all - any, anywhere, any where

Chain DOCKER-INSULATION-STAGE-2 (2 references)
pkts bytes target prot opt ​​in out destination source
0 0 DROP all - n any docker0 any where anywhere
0 0 DROP all - any br-643d6580203c anywhere from anywhere
0 0 RETURN all - n anywhere, anywhere, any where

DOCKER-USER string (1 references)
pkts bytes target prot opt ​​in out destination source
176 32752 RETURN all - any, anywhere, any where

For example, static routes work. I can still access my workstation at 10.0.1.2 via port 22, but this same machine can not go out. Looking at the outgoing server traffic, it looks like a ping does not even happen, let alone in return.

I've just tried to add my rules in addition to the Docker instance running, but that did not work. The Docker documentation suggests placing items in the DOCKER-USER string, although this does not exist in the nat table. The docker documentation also suggests that I can simply disable Docker table manipulation, although I do not know how I would manually route the network to the containers.

Honestly, I do not know enough about the rules of Docker. Has anyone done this work?

split tunnel – Why is my port not open while it has been configured in IPTABLES

I am setting up a split tunnel VPN on my raspberry and I want to make sure that no incoming traffic is accepted on my VPN interface (tun0), with the exception of port that I open explicitly: 56292. I use iptables for this and, despite everything, it seems right for me, I can not get through the firewall.

My iptables -L -nv looks like this:

OUTPUT string (ACCEPT policy 4703 packets, 666 KB)
pkts bytes target prot opt ​​in out destination source
5342 2010K ACCEPT all - * lo 0.0.0.0/0 0.0.0.0/0 owner UID matching 1001
0 0 ACCEPT all - * tun0 0.0.0.0/0 0.0.0.0/0 owner UID matching 1001
29083 5023K ACCEPT all - * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED, ESTABLISHED
0 0 REJECT all - * eth0! 192.168.2.50 0.0.0.0/0 reject-with icmp-port-inaccessible

Is it enough to see the kind of mistake I made?

routing – IPtables: ipset filtering through existing transfer rules

I followed a guide to set up a Raspberry Pi to connect to a VPN, and then NAT to network my local network traffic to the VPN in order to protect it.

I also use it for DNS filtering (adblocking).

Domain filtering does not filter IP addresses that I do not like. I'm therefore trying to find out more about ipsets in order to prohibit communication with vast areas of the Internet.

Currently, my script for doing all this looks like this:

iptables -F

Restoring the Ipset </etc/ipset-blacklist/ip-blacklist.restore

iptables -I INPUT 1 -m set --match-set blacklist src -j DROP
iptables -I FORWARD -m set --match-set blacklist src -j DROP
iptables -I OUTPUT -m set --match-set blacklist src -j DROP

iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -m state -state RELATED, ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -L

It works!

But I do not understand why, and I do not think I need the three blacklist rules for INPUT, FORWARD & OUTPUT – I feel I've got a result that works the wrong way – and without understanding it.

Can someone be wiser than I see what I'm trying to do, what I've accomplished and where I've been wrong, please?

Also, what is the "1" for in this line:

iptables -I INPUT 1 -m set --match-set blacklist src -j DROP

It is the goal that is already somewhat achieved:
LAN lens

linux – How to use iptables to rewrite DNS queries passing through a wireguard vpn?

I have a Wireguard VPN server that I had to rebuild. The old server had an internal DNS server running on a virtual interface, 172.16.0.1. I do not really need to use DNS, can I use iptables to intercept DNS queries? 172.16.0.1 and send them to 1.1.1.1 instead of?

Here are my postup / down rules in wireguard:

PostUp = iptables -A FORWARD -i% i -j ACCEPT; iptables -A FORWARD -o% i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i% i -j ACCEPT; iptables -D FORWARD -o% i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

linux – how can iptables (ACCEPT, all, anywhere, any where) and (DROP, any, anywhere, anywhere) in its chain INPUT?

How can iptables both have (ACCEPT, all, anywhere, any where) and (DROP, everything, anywhere, any where) in its INPUT chain?

How is it significant for iptables both of them have rules for ACCEPT and DROP all the traffic in his CONTRIBUTION string with a default policy of DROP?

In this case, will the traffic really be accepted or deleted? I see that special rules exist for ssh and http, so they would naturally take precedendece, because they are more specific?

# iptables -L
INPUT string (policy DROP)
target target source opt opt
ACCEPT everything - no matter where
ACCEPT everything - no matter where anywhere ctstate BOUND, ESTABLISHED
DROP all-n 'anywhere where any ctstate INVALID
ACCEPT tcp - anywhere from anywhere tcp: ssh ctstate NEW, ESTABLISHED
ACCEPT tcp - no matter where any dpt tcp: http ctstate NEW, ESTABLISHED
ACCEPT icmp - no matter where any where

Chain FORWARD (DROP policy)
target target source opt opt

OUTPUT string (DROP policy)
target target source opt opt
ACCEPT everything - no matter where
ACCEPT everything - no matter where any cststate ESTABLISHED
ACCEPT tcp - no matter where any tcp spt: ssh ctstate ESTABLISHED
ACCEPT tcp - no matter where any tcp spt: http ctstate ESTABLISHED

linux – how can iptables (ACCEPT, all, anywhere, any where) and (DROP, any, anywhere, anywhere) in its chain INPUT?

How can iptables both have (ACCEPT, all, anywhere, any where) and (DROP, everything, anywhere, any where) in its INPUT chain?

How is it significant for iptables both of them have rules for ACCEPT and DROP all the traffic in his CONTRIBUTION string with a default policy of DROP?

In this case, will the traffic really be accepted or deleted? I see that special rules exist for ssh and http, so they would naturally take precedendece, because they are more specific?

# iptables -L
INPUT string (policy DROP)
target target source opt opt
ACCEPT everything - no matter where
ACCEPT everything - no matter where anywhere ctstate BOUND, ESTABLISHED
DROP all-n 'anywhere where any ctstate INVALID
ACCEPT tcp - anywhere from anywhere tcp: ssh ctstate NEW, ESTABLISHED
ACCEPT tcp - no matter where any dpt tcp: http ctstate NEW, ESTABLISHED
ACCEPT icmp - no matter where any where

Chain FORWARD (DROP policy)
target target source opt opt

OUTPUT string (DROP policy)
target target source opt opt
ACCEPT everything - no matter where
ACCEPT everything - no matter where any cststate ESTABLISHED
ACCEPT tcp - no matter where any tcp spt: ssh ctstate ESTABLISHED
ACCEPT tcp - no matter where any tcp spt: http ctstate ESTABLISHED

Postfix: Fail2ban and iptables bans do not stop logins and attempts to authenticate

I use Ubuntu 16.04.6 LTS with Postfix 3.1.0 and fail2ban 0.9.3. Nowadays my /var/log/mail.log is constantly polluted by brute force attempts like this:

postfix / submission / smtpd[2282]: login from unknown[xxx.xxx.xxx.xxx]
postfix / submission / smtpd[2282]: warning: unknown[xxx.xxx.xxx.xxx]: Failed to Authenticate with SASL LOGIN: Authentication Fails
postfix / submission / smtpd[2282]: disconnect from unknown[xxx.xxx.xxx.xxx] ehlo = 1 auth = 0/1 rset = 1 quit = 1 commands = 3/4

I tried to put in place /etc/fail2ban/jail.local as:

[postfix]



enabled = true
port = smtp, ssmtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 3
bantime = 86400

[sasl]
enabled = true
port = smtp, ssmtp, imap2, imap3, imaps, pop3, pop3s
filter = postfix-sasl
logpath = /var/log/mail.log
maxretry = 3
bantime = 86400

It seems to work properly according to /var/log/fail2ban.log:

fail2ban.filter   [2208]: INFO    [sasl] Found xxx.xxx.xxx.xxx
fail2ban.actions  [2208]: NOTE  [sasl] xxx.xxx.xxx.xxx already banned

But smtpd continues to receive SASL authentication attempts.

I have also tried iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP the other day, but logs in and attempts to authenticate continue despite the explicit DROP (iptables -L INPUT -v -n):

    pkts bytes target prot opt ​​in out destination source
416 2974K f2b-sasl tcp - * * 0.0.0.0/0 0.0.0.0/0 multiport import 25.465.143.220.993.110.995
1763 170K f2b-wordpress-soft tcp - * * 0.0.0.0/0 0.0.0.0/0 multiport export 80,443
1763 170K tcp f2b-wordpress-hard - * * 0.0.0.0/0 0.0.0.0/0 multiport export 80,443
416 2974K fcb-postfix tcp - * * 0.0.0.0/0 0.0.0.0/0 multiple reports
1891 144K f2b-sshd tcp - * * 0.0.0.0/0 0.0.0.0/0 Multiple Reports
33899 8794K ufw-before-logging-input all - * * 0.0.0.0/0 0.0.0.0/0
33899 8794K ufw-before-before-input all - * * 0.0.0.0/0 0.0.0.0/0
136 6931 ufw-after-input all - * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw after-logging-input all - * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw-reject entry all - * * 0.0.0.0/0 0.0.0.0/0
113 5875 ufw-track-input all - * * 0.0.0.0/0 0.0.0.0/0
0 0 clear all - * * xxx.xxx.xxx.xxx 0.0.0.0/0

iptables – How to Create an Intranet DNS Based on a Transparent Proxy Server

I am new here.

I want to implement a server to respond to any http / https request that is sent to it. It's a bit like a direct proxy using the CONNECT method. But I do not want clients to explicitly set the proxy. The client DNS is a custom DNS that will resolve a domain to the proxy server. How can I achieve this goal by using iptables for forwarding packets to a normal proxy like squid. Or should I use some tips like writing a netfilter / iptables plugin, changing the squid code to make it work in connection mode without connect method.

In short, I want to implement a transparent http / https proxy that can respond to any normal http / https request that is sent to it.

iptables – DNAT redirection works but returns with redirection IP address

I am doing a test that my clients, network 10.101.29.0/24, when trying to connect to 192.168.100.100 been redirected to 10.10.10.222.
This part works, but my problem is on the answer. The answer arrived is 10.10.10.222 and what I want is that the firewall / router goes to 192.168.100.100 before giving back to the client.
Here's what I did on my firewall / router:

iptables -t nat -A PREROUTING -i eth1 -s 10.101.29.0/24 -d 192.168.100.100 -d DNAT -to 10.10.10.222

There is only this line, nothing more.

Here is my netowrk:

10.101.29.0/24 | -> <-|10.101.29.1,172.16.50.100|-><-|172.16.50.1|-> Waiters

I've already tried

iptables -t nat -A POSTROUTING -o eth0 -d 10.10.10.222 -j RETURN

and

iptables -t nat -A PREROUTING -i eth1 -s 10.10.10.222 -d 10.101.29.0/24 -d DNAT -to 192.168.100.100

but nothing works.

Should I load statefull modules?

Best reviews.

iptables – Two preserved masters have a virtual IP address simultaneously

It's really strange on my BACKUP device, always going to MASTER several seconds.

I've already done a search on both masters who simultaneously have a virtual IP address and the solution I tried but still does not work.

There are probably two ways to solve it

  1. Setting the priority in keepalived.conf

  2. The firewall's VRRP package leaves the SAVE device considered to be in transit
    control

BACKUP.conf

global_defs {
ThinkPad router_id
}

vrrp_instance VRRP3 {
Backup status
eth0 interface
virtual_router_id 41
priority 1
advert_int 5
authentication {
auth_type PASS
auth_pass 1066
}
virtual_ipaddress {
172.16.100.1/16 dev eth0
# 172.16.10.1 / 16 dev eth0 label eth0: 1
# 172.16.20.1 / 16 dev eth0 label eth0: 2
# 172.16.30.1 / 16 dev eth0 label eth0: 3
}

# unicast_src_ip 172.16.100.2 ## source ip
# unicast_peer {
# 172.16.100.1 ## dest ip
#}

notify_master /etc/keepalived/ICS2.sh
notify_backup /etc/keepalived/ICS.sh
}

MASTER.conf

global_defs {
router_id NvidiaTx2
}

vrrp_instance VRRP1 {
master of the state
eth0 interface
virtual_router_id 41
priority 200
advert_int 1
authentication {
auth_type PASS
auth_pass 1066
}
virtual_ipaddress {
172.16.100.1/16 dev eth0
# 172.16.10.1 / 16 dev eth0 label eth0: 1
# 172.16.20.1 / 16 dev eth0 label eth0: 2
# 172.16.30.1 / 16 dev eth0 label eth0: 3
}

# unicast_src_ip 172.16.100.1 ## source ip
# unicast_peer {
# 172.16.100.2 ## dest ip
#}

}

Iptables setting (and ufw already disabled)

INPUT string (ACCEPT policy)
target target source opt opt
ACCEPT 112 - 0.0.0.0/0 0.0.0.0/0
ACCEPT 112 - 0.0.0.0/0 224.0.0.18
ACCEPT 112 - 0.0.0.0/0 224.0.0.18

Chain to Watch (ACCEPT Policy)
target target source opt opt

OUTPUT string (ACCEPT policy)
target target source opt opt
ACCEPT 112 - 0.0.0.0/0 224.0.0.18
ACCEPT 112 - 0.0.0.0/0 224.0.0.18    

tcpdump resault

@ ThinkPad root: / etc / keepalived # tcpdump -i eth0 -n vrrp
tcpdump: verbose output removed, use -v or -vv for full protocol decoding
listen on eth0, link type EN10MB (Ethernet), capture size of 262144 bytes
15: 41: 38.864030 IP 172.16.100.1> 224.0.0.18: VRRPv2, publication, vrid 41, prio 200, simple authentication type, intvl 1s, length of 20
15: 41: 39.859616 IP 172.16.100.2> 224.0.0.18: VRRPv2, publication, vrid 41, prio 1, type of simple authentication, intvl 5s, length of 20
15: 41: 40.862070 IP 172.16.100.1> 224.0.0.18: VRRPv2, publication, vrid 41, prio 200, simple authentication type, intvl 1s, length of 20
15: 41: 41.863060 IP 172.16.100.1> 224.0.0.18: VRRPv2, publication, vrid 41, prio 200, simple authentication type, intvl 1s, length of 20
15: 41: 42.863939 IP 172.16.100.1> 224.0.0.18: VRRPv2, publication, vrid 41, prio 200, simple authentication type, intvl 1s, length of 20
15: 41: 43.864744 IP 172.16.100.1> 224.0.0.18: VRRPv2, publication, vrid 41, prio 200, simple authentication type, intvl 1s, length of 20
15: 41: 44.859805 IP 172.16.100.2> 224.0.0.18: VRRPv2, publication, vrid 41, prio 1, simple authentication type, intvl 5s, length of 20