Category: Firewall

The port forwarding from one ip to another ip in same network using iptables

Let’s say that we need to forward all connection to a port 143 IMAP to localhost to another server to a port 143 IMAP:

iptables -t nat -I PREROUTING -p tcp -d localhost --dport 143 -j DNAT --to-destination anotherserver:143
iptables -t nat -A POSTROUTING -p tcp --dport 143 -d anotherserver -j SNAT --to localhost

172.16.60.5 – localhost
172.16.10.77 – another server

# Forward port 143 IMAP to 172.16.10.77
iptables -t nat -I PREROUTING -p tcp -d 172.16.60.5 --dport 143 -j DNAT --to-destination 172.16.10.77:143
iptables -t nat -A POSTROUTING -p tcp --dport 143 -d 172.16.10.77 -j SNAT --to 172.16.60.5

# Log connection to port 143 to /var/log/firewall
iptables -t nat -I PREROUTING -p tcp --dport 143 -j LOG --log-prefix "IMAP PREROUTING: "
iptables -t nat -I POSTROUTING -p tcp --dport 143 -j LOG --log-prefix "IMAP POSTROUTING: "

OpenVPN in OpenVZ/VServer

# Allow OpenVPN
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
iptables -A FORWARD -s 192.168.88.0/24 -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -o venet0:0 -j MASQUERADE
# in OpenVZ/VServers you may need the following instead the lane above
iptables -t nat -A POSTROUTING -s 192.168.88.0/24 -j SNAT --to-source 198.50.149.196

Block an IP address with null routes or with iptables on a Linux.

You can drop as IP address using the iptables command:

iptables -A INPUT -s 192.168.1.100 -j DROP
iptables -A OUTPUT -d 192.168.1.100 -j DROP

However, you can use route or ip command to a null route unwanted traffic. A null route is a network route or kernel routing table entry that goes nowhere.

route add 192.168.1.100 gw 127.0.0.1 lo

or reject 😉

route add -host 192.168.1.100 reject

Also we can drop entire subnet 192.168.1.0/24

route add -net 192.168.1.0/24 gw 127.0.0.1 lo

To delete an IP address or entire subnet from a null route use the following command:

route del 192.168.1.100 gw 127.0.0.1 lo

or

route del -net 192.168.1.0/24 gw 127.0.0.1 lo

or

route del -host 192.168.1.99 reject

Port forwarding using xinetd.

An easy method to do port forwarding without the iptables is to use the xinetd.
In order to port forward with xinetd, you will need to create a configuration file:

root# vim /etc/xinetd.d/imap_forward

For example: Forward port 143 on localhost to remote server on port 143:

service imap_forward
{
disable = no
type = UNLISTED
socket_type = stream
protocol = tcp
user = nobody
wait = no
redirect = remote_IP_or_server_name 143
port = 143
}

SSH backdoor.

SSH from hades to earth.server.com with the -R flag. I’ll assume that you’re the root user on hades and that tech will need the root user ID to help you with the system. With the -R flag, you’ll forward instructions of port 2222 on earth.server.com to port 22 on hades. This is how you set up an SSH tunnel. Note that only SSH traffic can come into hades: You’re not putting hades out on the Internet naked.

You can do this with the following syntax:

# ssh -R 2222:localhost:22 username@hades.server.com

Once you are into hades.server.com, you just need to stay logged in and enter a command like:

username@hades.server.com:~$ while [ 1 ]; do date; sleep 300; done

to keep the machine busy and minimize the window.
Now instruct your friends to SSH as “username” into earth.server.com without using any special SSH flags. You’ll have to give them your password:

root@hades:~# ssh username@earth.server.com .
BTW no need

Once user is on the hades.server.com, they can SSH to earth using the following command:

username@hades.server.com:~$: ssh -p 2222 root@localhost

Short form:

from earth: ssh -R 2222:localhost:22 username@hades.somedomain.com
then: while [ 1 ]; do date; sleep 300; done
from hades: ssh -p 2222 root@localhost
and we can log in into earth.somedomain.com :))