[[File:SuseIptablesDiagram.png|400px|border|center]]
* Since we're forwarding traffic: the router is neither the source or the destination, therefore the INPUT and OUTPUT chains don't apply. We'll add one rule to the PREROUTING chain of the NAT table, and remove the default blocking rule from the FORWARD table, and add one rule to the POSTROUTING chain.[[File:AWSportForwardingIptables.png|800px|border|center]]
** forward incoming tcp port 2211 packets to port 22 That would have been enough on www <source>iptables -t nat -A PREROUTING -p tcp --dport 2211 -j DNAT --to 10.3.45a CentOS install, but in Amazon Linux routing is disabled by default in the kernel.11:22</source>** allow forwarding So we have to www (or just remove default reject rule)<source>iptables -D FORWARD 1</source>** perform ip masquerading <source>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE</source>** trubleshooting <source>iptables -I FORWARD -j LOGtail -f /var/log/messages </source>** resulting firewall looks like this:<source>[root@router ~]# iptables -L -nChain INPUT (policy ACCEPT)target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dptenable it:22REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)* Edit /etc/sysctl.conf and add this line to the end:target prot opt ** <source destination >net.ipv4.ip_forward = 1</source>** Then run <source>sysctl -p</source>** Check that it worked: <source>cat /proc/sys/net/ipv4/ip_forward</source>* Don't forget to add TCP port 2211 to ops345routersg. If you forget: the traffic will never make it to your iptables rules.
Chain OUTPUT (policy ACCEPT)There are a lot of variables in this setup. A couple of troubleshooting tools you can use are iptables logs and tcpdump:target prot opt * <source destination [root@router ~]# [root@router ~]# >iptables -L I FORWARD -n j LOGtail -t natChain PREROUTING (policy ACCEPT)f /var/log/messages </source>target prot opt * <source destination DNAT tcp >tcpdump -n - 0.0.0.0i eth0 port 2211</0 0.0.0.0/0 tcp dpt:2211 to:10.3.45.11:22source>
Chain INPUT (policy ACCEPT)target prot opt source destination = Submit evidence of your work =
Chain OUTPUT (policy ACCEPT)target prot opt source destination For this lab, please submit screenshots that show you've completed the work, unless your professor has given you different instructions. As a minimum that's:
Chain POSTROUTING (policy ACCEPT)target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 </source> * kernel: <source>vi /etc/sysctl.conf # add to the end: net.ipv4.ip_forward = 1sysctl -pcat /proc/sys/net/ipv4/ip_forward</source> * test: <source>tcpdump -n -i eth0 port 2211</source> * aws:** allow access to port 2211 in security group** disable source/dest check for router in aws console (might not be necessary)* Save the iptables rules when it looks like they're working.
~. will break out of locked up ssh session[[Category:OPS345]]
= Private security group =