I need to complete an exercise with iptables on a network (docker containers) configured as follows:
- A
router host with 2 network interfaces (eth0 <- public 10.9.0.0/24; eth1 <- lan 192.168.60.0/24; the router is the x.x.x.254 on both networks) and an SSH server on default port 22;
- A
jumpbox host in lan with IP 192.168.60.10, with SSH and TELNET on default ports 22 and 23;
- An
admin host in public with IP 10.9.0.2.
One of the requests made to us is the forwarding/masquerade of the SSH (on port 2222) and TELNET services of the jumbox host via the router to the admin host.
The problem is that I can't redirect these ports, the connection remains on perpetual hold (I think because the return packets are not configured correctly).
Currently my configuration is as follows (see ADMIN'S RULES):
#!/bin/bash
# Reset IPv4 rules
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Set default policies for chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow traffic for ongoing connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ====================== #
# NAT INTERNAL NETWORK #
# ====================== #
# Masquerade internal network hosts
iptables -t nat -A POSTROUTING -s 192.168.60.0/24 -o eth0 -j MASQUERADE
# Forward internal network requests to external network
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# =============== #
# ADMIN'S RULES #
# =============== #
# Allow 'admin' connection to 'jumpbox' SSH (on 2222 port)
iptables -t nat -A POSTROUTING -s 192.168.60.10 -p tcp --sport 22 -j SNAT --to 10.9.0.254:2222
iptables -t nat -A PREROUTING -s 10.9.0.2 -p tcp --dport 2222 -j DNAT --to 192.168.60.10:22
iptables -A FORWARD -s 10.9.0.2 -p tcp --dport 22 -j ACCEPT
# Allow 'admin' connection to 'jumpbox' TELNET
iptables -t nat -A POSTROUTING -s 192.168.60.10 -p tcp --sport 23 -j SNAT --to 10.9.0.254
iptables -t nat -A PREROUTING -s 10.9.0.2 -p tcp --dport 23 -j DNAT --to 192.168.60.10
iptables -A FORWARD -s 10.9.0.2 -p tcp --dport 23 -j ACCEPT
Could someone please direct me to the solution?
Thanks in advance.
EDIT:
After several attempts I succeeded in my intent with these commands:
# Allow 'admin' connection to 'jumpbox' SSH (on 2222 port)
iptables -t nat -A PREROUTING -s 10.9.0.2 -d 10.9.0.254 -p tcp --dport 2222 -j DNAT --to 192.168.60.10:22
iptables -A FORWARD -s 10.9.0.2 -d 192.168.60.10 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.60.10 -p tcp --dport 22 -j SNAT --to 192.168.60.254
# Allow 'admin' connection to 'jumpbox' TELNET
iptables -t nat -A PREROUTING -s 10.9.0.2 -d 10.9.0.254 -p tcp --dport 23 -j DNAT --to 192.168.60.10
iptables -A FORWARD -s 10.9.0.2 -d 192.168.60.10 -p tcp --dport 23 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.60.10 -p tcp --dport 23 -j SNAT --to 192.168.60.254
Now the problem becomes that if I try to connect using the internal IP:
$ telnet 192.168.60.10 23 # or
$ ssh -p2222 192.168.60.10
I am able to do this, but I have to block this behavior.
