caharkness/documentation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
da86b0597a
documentation/Examples/Bash/Port Forwarding.md

5.2 KiB
Raw Blame History

Starting

As with every shell script that we intend to run using Bash

#!/bin/bash

reset_iptables ()

A function used to reset the state of iptables so that we are guaranteed no rules that have gone unaccounted for:

reset_iptables () {
    iptables -F;
    iptables -X;
    iptables -t nat -F;
    iptables -t nat -X;
    iptables -t mangle -F;
    iptables -t mangle -X;
    iptables -t raw -F;
    iptables -t raw -X;
    iptables -t security -F;
    iptables -t security -X;
    iptables -P INPUT ACCEPT;
    iptables -P FORWARD ACCEPT;
    iptables -P OUTPUT ACCEPT;
}

!!! warning "Potential Security Risk"

The above function when called will remove any existing iptables rules in place.

Example

The call to the function is pretty straightforward. Calling it clears any rules defined in iptables.

reset_iptables;

forward_internet ()

A function used to forward requests from clients whose gateway is defined as this router's IP address to this machine's own Internet connection interface:

forward_internet () {
    CLIENT_NET=$1;
    INET_IFACE=$2;

    iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
    iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
    iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
}

Examples

To act as a gateway to the Internet for other devices on the network sending packets from 192.168.1.x:

forward_internet 192.168.1.0/24 wlan0;

forward_port ()

A function used to forward incoming connections from an outside interface and port to an inside address & port destination and establish a path back for the response:

forward_port () {
    OUTSIDE_INTERFACE=$1;
    OUTSIDE_PORT=$2;
    INSIDE_ADDRESS=$3;
    INSIDE_PORT=$4;

    sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
    sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
    iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
    iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;

    echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
}

Usage

reset_iptables;
forward_internet 10.44.7.0/24 wlan0;
forward_port tun0 8006 10.44.7.159 8006;
forward_port tun0 8007 10.44.7.157 8006;
forward_port tun0 7860 10.44.7.103 7860;
forward_port tun0 7861 10.44.7.100 7861;
forward_port tun0 7862 10.44.7.100 7862;
forward_port tun0 22001 10.44.7.111 22;
forward_port tun0 22002 10.44.7.100 22;
forward_port tun0 22003 10.44.7.105 22;
forward_port tun0 80 10.44.7.111 80;
forward_port tun0 443 10.44.7.111 443;
forward_port tun0 35566 10.44.7.112 35566;
forward_port wlan0 8006 10.44.7.159 8006;
forward_port wlan0 8007 10.44.7.157 8006;
forward_port tun0 8033 10.44.7.114 80;
forward_port tun0 25 10.44.7.102 25;
forward_port tun0 587 10.44.7.102 587;
forward_port tun0 465 10.44.7.102 465;

forward.sh

#!/bin/bash

reset_iptables () {
    iptables -F;
    iptables -X;
    iptables -t nat -F;
    iptables -t nat -X;
    iptables -t mangle -F;
    iptables -t mangle -X;
    iptables -t raw -F;
    iptables -t raw -X;
    iptables -t security -F;
    iptables -t security -X;
    iptables -P INPUT ACCEPT;
    iptables -P FORWARD ACCEPT;
    iptables -P OUTPUT ACCEPT;
}

forward_internet () {
    CLIENT_NET=$1;
    INET_IFACE=$2;

    iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE;
    iptables -I FORWARD -o $INET_IFACE -s $CLIENT_NET -j ACCEPT;
    iptables -I INPUT -s $CLIENT_NET -j ACCEPT;
}

forward_port () {
    OUTSIDE_INTERFACE=$1;
    OUTSIDE_PORT=$2;
    INSIDE_ADDRESS=$3;
    INSIDE_PORT=$4;

    sysctl net.ipv4.conf.all.forwarding=1 > /dev/null;
    sysctl net.ipv6.conf.all.forwarding=1 > /dev/null;
    iptables -A PREROUTING -t nat -p tcp -i $OUTSIDE_INTERFACE --dport $OUTSIDE_PORT -j DNAT --to-destination $INSIDE_ADDRESS:$INSIDE_PORT;
    iptables -A POSTROUTING -t nat -p tcp -d $INSIDE_ADDRESS --dport $INSIDE_PORT -j MASQUERADE;

    echo "$OUTSIDE_INTERFACE:$OUTSIDE_PORT -> $INSIDE_ADDRESS:$INSIDE_PORT";
}

reset_iptables;
forward_internet 192.168.1.0/24 wlan0;
forward_port tun0 8006 10.44.7.159 8006;
forward_port tun0 8007 10.44.7.157 8006;
forward_port tun0 7860 10.44.7.103 7860;
forward_port tun0 7861 10.44.7.100 7861;
forward_port tun0 7862 10.44.7.100 7862;
forward_port tun0 22001 10.44.7.111 22;
forward_port tun0 22002 10.44.7.100 22;
forward_port tun0 22003 10.44.7.105 22;
forward_port tun0 80 10.44.7.111 80;
forward_port tun0 443 10.44.7.111 443;
forward_port tun0 35566 10.44.7.112 35566;
forward_port wlan0 8006 10.44.7.159 8006;
forward_port wlan0 8007 10.44.7.157 8006;
forward_port tun0 8033 10.44.7.114 80;
forward_port tun0 25 10.44.7.102 25;
forward_port tun0 587 10.44.7.102 587;
forward_port tun0 465 10.44.7.102 465;

Devices on any network that have a 192.168.1.x can make this router a gateway and connect to the Internet:

Requests made to this router from interface tun0 for port 8006 will be forwarded to 10.44.7.159:8006:

forward_port tun0 8006 10.44.7.159 8006;