home       inleiding       sysadmin       services       links       bash       werk       nothing      

LAN to WORLD

Na het uitvoeren van de DNAT declaraties met hierin Chain FORWARD (policy DROP) is het niet meer mogelijk om vanuit de WEB-servers (101 en 102) het internet te bereiken en apt te gebruiken.
Hoofdoorzaak blijkt de onmogelijkheid om een DNS te bereiken.

In de opgave staat dat poorten apt moet werken. poorten 80 en 443 zijn hiervoor nodig, maar natuurlijk ook DNS poort 53 (udp)
Verder moeten poorten 22 en 80 van LAN naar buiten toe open staan.
Voor mail kan later een oplossing worden gebouwd en zal ooit minstens poort 25 moeten worden opegezet.

Om het netwerk te debuggen (vroeg of laat gaat er wel iets mis)lijkt ping van binnen naar buiten ook onontbeerlijk.

Al deze protocollen moeten doorheen de FORWARD chain van BINNEN naar BUITEN.
 

  1. inventaris
     
    De huidige FORWARD chain bevat reeds de volgende interessante regels:
    ...
    iptables -vP FORWARD DROP
    ## destination forward ports
    iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
    iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
    ...
    ### forward related established
    iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    ...

    De hogere declaraties zijn niet voorzien van input of output poorten (voorbeeld: -i eth0) en werken dus in alle richtingen. We zouden dan ook websites moeten kunnen openen en ssh verbindingen leggen met ip-adressen.
     
    Maar apt werkt met domeinnamen, dus moet DNS ook worden toegelaten.
     
    Bovendien werd er gevraagd om ook SMTP te kunnen gebruiken,
    en tenslotte zouden we het nuttig vinden te kunnen pingen naar buiten.
     

  2. LAN to WORLD declaraties
     
    De volgende declaraties lossen de hoger vermelde problemen op:
    #### open ports from LAN to WORLD 
    #### already open in section Destination NAT (declaration goes both ways)
    #
    #  already open ## iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
    #  already open ## iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
    #
    ####  ping
    iptables -vA FORWARD -p ICMP -j ACCEPT
    #### smtp
    iptables -vA FORWARD -p TCP --dport 25 -j ACCEPT
    #### dns
    iptables -vA FORWARD -p UDP --dport 53 -j ACCEPT
    #### https
    iptables -vA FORWARD -p TCP --dport 443 -j ACCEPT
    #
    #### already open 
    ## iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

     

  3. testen
     
    Vanuit web101
     
    DNS:
    user@ub164-WEB101:~$ nslookup vrt.be
    Server:     10.28.100.10
    Address:    10.28.100.10#53
     
    Non-authoritative answer:
    Name:   vrt.be
    Address: 52.209.17.179
    Name:   vrt.be
    Address: 52.214.170.224

     
    PING:

    user@ub164-WEB101:~$ ping bnix.be
    PING bnix.be (193.190.130.50) 56(84) bytes of data.
    64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=1 ttl=52 time=14.0 ms
    64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=2 ttl=52 time=15.9 ms
    64 bytes from fiorano.belnet.be (193.190.130.50): icmp_seq=3 ttl=52 time=13.2 ms

     
    SMTP:

    user@ub164-WEB101:~$ telnet smtp.telenet.be 25
    Trying 195.130.132.11...
    Connected to smtp.telenet.be.
    Escape character is '^]'.
    220 andre.telenet-ops.be bizsmtp ESMTP server ready
    quit
    221 2.0.0 andre.telenet-ops.be bizsmtp closing connection
    Connection closed by foreign host.

     
    HTTP:

    user@ub164-WEB101:~$ lynx perdu.com
    Looking up  'perdu.com' first
    Perdu sur l'Internet ?
     
    Pas de panique, on va vous aider
     
    * <----- vous êtes ici

     
    APT:

    user@ub164-WEB101:~$ sudo apt update
    [sudo] password for user:  *****************
    Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [102 kB]
    Hit:2 http://be.archive.ubuntu.com/ubuntu xenial InRelease                          
    Get:3 http://be.archive.ubuntu.com/ubuntu xenial-updates InRelease [102 kB]         
    Get:4 http://be.archive.ubuntu.com/ubuntu xenial-backports InRelease [102 kB]       
    Get:5 http://be.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [668 kB]
    Get:6 http://be.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [631 kB]
    Fetched 1.605 kB in 0s (1.870 kB/s)                                               
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    117 packages can be upgraded. Run 'apt list --upgradable' to see them.

     

  4. het volledige iptables script
     
    #! /bin/bash
    #
    #  iptables-script 
    #  bvdb  ( 02/11/2017 )
    ######################################################
    #
    # v = verbose, X = flush tables, F = delete non standard chains
     
    # general
    iptables -vX
    iptables -vF
     
    # nat and masquerading -t refers to table
    iptables -vt nat -F
    iptables -vt nat -X
     
    # mangling TCP header
    iptables -vt mangle -F
    iptables -vt mangle -X
     
    # reset policies -P refers to policies
    iptables -vP OUTPUT ACCEPT
     
    # turn off routing
    # echo 0 > /proc/sys/net/ipv4/ip_forward
     
    # turn on routing
    echo 1 > /proc/sys/net/ipv4/ip_forward
     
    ###### Dit is heel belangrijk in je script -- 
    ###### dan zie je wat je aan het doen bent:
    #
    ##>> my network interfaces: enp0s3 = 10.104.200.254/16 >> buiten
    ##>> my network interfaces: enp0s8 = 192.168.200.254/24 >> binnen
     
    ### implement NAT routing
    #
    ## NAT routing - enp0s3 is buiten en een unprotected network
    #  het ip address aan de buitenkant van onze firewall is 10.104.200.254 (outside address)
    #
    iptables -vt nat -A POSTROUTING -o enp0s3 -j SNAT --to 10.104.200.254
     
    ## INPUT chain lo + ports 10022
    iptables -vP INPUT DROP
    iptables -vA INPUT -i lo -j ACCEPT
    iptables -vA INPUT -p TCP --dport 10022 -j ACCEPT
    iptables -vA INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    #### Destination NAT -
    iptables -vP FORWARD DROP
    ## destination forward ports
    iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
    iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
    ## port 10122 >> web101:22
    iptables -vt nat -A PREROUTING -p TCP --dport 10122 -j DNAT --to 192.168.200.101:22
    iptables -vA FORWARD -p TCP --dport 10122 -j ACCEPT
    ## port 10222 >> web102:22
    iptables -vt nat -A PREROUTING -p TCP --dport 10222 -j DNAT --to 192.168.200.102:22
    iptables -vA FORWARD -p TCP --dport 10222 -j ACCEPT
    ## port 8081  >> web101:80
    iptables -vt nat -A PREROUTING -p TCP --dport 8081 -j DNAT --to 192.168.200.101:80
    iptables -vA FORWARD -p TCP --dport 8081 -j ACCEPT
    ## port 8082 >> web102:80
    iptables -vt nat -A PREROUTING -p TCP --dport 8082 -j DNAT --to 192.168.200.102:80
    iptables -vA FORWARD -p TCP --dport 8082 -j ACCEPT
    ### forward related established
    iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    #### open ports from LAN to WORLD
    ## already open ## iptables -vA FORWARD -p TCP --dport 22 -j ACCEPT
    ## already open ## iptables -vA FORWARD -p TCP --dport 80 -j ACCEPT
    #### already open in section Destination NAT (declaration goes both ways)
    iptables -vA FORWARD -p ICMP -j ACCEPT
    iptables -vA FORWARD -p TCP --dport 25 -j ACCEPT
    iptables -vA FORWARD -p UDP --dport 53 -j ACCEPT
    iptables -vA FORWARD -p TCP --dport 443 -j ACCEPT
    ## already open ## iptables -vA FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
     
    ### PRINT iptables configuration
    ###
    #
    echo ">>>>> iptables -n -L"
    iptables -n -L
    echo "--------------"
    #echo ">>>>> iptables -S"
    #iptables -S 
    #echo "--------------"
    echo ">>>>> iptables -t nat -L"
    iptables -t nat -L
    echo "--------------"
    #echo ">>>>> iptables -t mangle -L"
    #iptables -t mangle -L
    #echo "--------------"
    echo "routing set: " `cat /proc/sys/net/ipv4/ip_forward`
    echo "=============="

     

  5. output
     
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `PREROUTING'
    Flushing chain `INPUT'
    Flushing chain `OUTPUT'
    Flushing chain `POSTROUTING'
    Flushing chain `PREROUTING'
    Flushing chain `INPUT'
    Flushing chain `FORWARD'
    Flushing chain `OUTPUT'
    Flushing chain `POSTROUTING'
    SNAT  all opt -- in * out enp0s3  0.0.0.0/0  -> 0.0.0.0/0   to:10.104.200.254
    ACCEPT  all opt -- in lo out *  0.0.0.0/0  -> 0.0.0.0/0  
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10022
    ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   state RELATED,ESTABLISHED
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:22
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:80
    DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10122 to:192.168.200.101:22
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10122
    DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10222 to:192.168.200.102:22
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:10222
    DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8081 to:192.168.200.101:80
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8081
    DNAT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8082 to:192.168.200.102:80
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:8082
    ACCEPT  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   state RELATED,ESTABLISHED
    ACCEPT  icmp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0  
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:25
    ACCEPT  udp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   udp dpt:53
    ACCEPT  tcp opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   tcp dpt:443
    >>>>> iptables -n -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10022
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
     
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10122
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:10222
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8081
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8082
    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
     
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    --------------
    >>>>> iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    DNAT       tcp  --  anywhere             anywhere             tcp dpt:10122 to:192.168.200.101:22
    DNAT       tcp  --  anywhere             anywhere             tcp dpt:10222 to:192.168.200.102:22
    DNAT       tcp  --  anywhere             anywhere             tcp dpt:tproxy to:192.168.200.101:80
    DNAT       tcp  --  anywhere             anywhere             tcp dpt:8082 to:192.168.200.102:80
     
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
     
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
     
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    SNAT       all  --  anywhere             anywhere             to:10.104.200.254
    --------------
    routing set:  1
    ==============