1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Can I iptables (DNAT & SNAT) according the target domain?

Discussion in 'Tomato Firmware' started by blackantt, Mar 13, 2017.

  1. blackantt

    blackantt Reformed Router Member

    Hi,

    I want to DNAT & SNAT according domain-port, Can I do it?

    now, I did DNAT & SNAT according port as following, It works well.

    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8989 -j DNAT --to-destination 4.6.6.6
    iptables -t nat -A PREROUTING -p udp -m udp --dport 8989 -j DNAT --to-destination 4.6.6.6
    iptables -t nat -A POSTROUTING -d 4.6.6.6/32 -p tcp -m tcp --dport 8888 -j SNAT --to-source 7.8.9.2
    iptables -t nat -A POSTROUTING -d 4.6.6.6/32 -p udp -m udp --dport 8888 -j SNAT --to-source 7.8.9.2
    ....forward.....

    Can I add a target domain (more ip) condition like this?
    iptables -t nat -A PREROUTING -p tcp -m tcp $target-domain --dport 8989 -j DNAT --to-destination 4.6.6.6 #as a special package forward to another server
    .....
    iptables -t nat -A PREROUTING -p tcp -m tcp ! $target-domain --dport 8989 -- to local #as a ordinary package coping with

    or It needs iptables+ipset? How to do it?

    thanks
     
  2. eibgrad

    eibgrad Network Guru Member

    Whether you can is just a function of whether iptables will let you reference a domain name within a given context. I know sometimes it does, such as for -s (source) or -d (destination). But whether that's available under all options, I have no clue. You just have to try it and find out.

    Even if it does work, one of the problems w/ using domain names is that some sites now use various forms of load balancing via DNS (e.g., round-robin). At least w/ round-robin, you would likely get all the IPs, provided the site wasn't too big. For larger websites, it may be impractical. Each call to DNS may return different IPs!

    That's why using ipset is preferred in some cases. With the help of DNSMasq, ipset's hash table(s) are updated w/ the most current results from its DNS queries. You can then use the set module to match those IPs in your firewall rules.

    DNSMasq:
    Code:
    ipset=/amazon.com/amazon_ips
    IOW, DNSMasq keeps the hash table amazon_ips updated w/ results of queries to the amazon.com domain.

    Firewall
    Code:
    iptables ... -m set --match-set amazon_ips ... 
    And your firewall rules then match based on the content of that hash table.

    ipset syntax has changed in recent versions, requires loading different modules, etc. So it's a little more complicated to setup than I'm describing here. We can get into specific details if that proves desirable. I just wanted to give the big picture for the moment. Esp. if ipset proves to be overkill. It's much more useful when you don't know ahead of time all the public IPs any given domain name(s) may resolve too. It helps because the process of matching in the firewall rule now becomes dynamic rather than static.
     
  3. blackantt

    blackantt Reformed Router Member

    sorry, I forgot. 2 VPSs are all vpn server. maybe it's the root cause. so which chain can I do a selection with ipset? (I think after the packages from pc arrive then decrypted, the I can choose and forward, am I right? )

    I have done all of things what I can do, but It's still abnormal, Can you give me more hint.
    I have 2 VPSs. one is 40.77.185.129 as middle-vps (if the dst of coming package is in ipset.test then forward to target-vps,or cope with by itself ), another one is 40.77.96.174 as target-vps.

    [middle-vps]#iptables -m set -h
    iptables v1.4.21
    ...
    set match options:
    [!] --match-set name flags [--return-nomatch]
    ...


    [middle-vps]#ipset -v
    ipset v6.19

    [middle-vps]#dnsmasq -v
    Dnsmasq version 2.66 Copyright (c) 2000-2013 Simon Kelley
    Compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth


    [middle-vps]# dig whatismyipaddress.com
    ;; ANSWER SECTION:
    whatismyipaddress.com. 19 IN A 104.66.15.245
    ;; Query time: 5 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri Mar 17 08:26:47 UTC 2017
    ;; MSG SIZE rcvd: 66


    [middle-vps]# ipset list
    Name: test
    Type: hash:ip
    Revision: 1
    Header: family inet hashsize 1024 maxelem 65536
    Size in memory: 16560
    References: 2
    Members:
    23.199.152.235
    104.66.15.245



    [middle-vps]# iptables-save
    # Generated by iptables-save v1.4.21 on Fri Mar 17 08:24:48 2017
    *nat
    -A PREROUTING -p tcp -m set --match-set test dst -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
    -A PREROUTING -p udp -m set --match-set test dst -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
    -A POSTROUTING -d 40.77.96.174/32 -p udp -m udp --dport 1989 -j SNAT --to-source 40.77.185.129
    -A POSTROUTING -d 40.77.96.174/32 -p tcp -m tcp --dport 1989 -j SNAT --to-source 40.77.185.129
    *filter
    :INPUT ACCEPT [12139:4556698]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [13730:5014005]
    -A FORWARD -p udp -m udp --dport 1989 -j ACCEPT
    -A FORWARD -p tcp -m tcp --dport 1989 -j ACCEPT
    -A FORWARD -p tcp -m tcp --sport 1989 -j ACCEPT
    -A FORWARD -p udp -m udp --sport 1989 -j ACCEPT
    COMMIT
    # Completed on Fri Mar 17 08:24:48 2017


    to access whatismyipaddress.com with explorer, ip is 40.77.185.129 (middle-vps), it's not what I need!

    ---------------------------- then try it without ipset.test

    [middle-vps]# iptables -t nat -D PREROUTING -p tcp -m set --match-set test dst -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
    [middle-vps]# iptables -t nat -D PREROUTING -p udp -m set --match-set test dst -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
    [middle-vps]# iptables -t nat -I PREROUTING -p tcp -m tcp --dport 1989 -j DNAT --to-destination 40.77.96.174
    [middle-vps]# iptables -t nat -I PREROUTING -p udp -m udp --dport 1989 -j DNAT --to-destination 40.77.96.174
    [middle-vps]# systemctl restart dnsmasq.service

    to access whatismyipaddress.com with explorer, ip is 40.77.96.174 (target-vps), but I want apart of package (ipset.test) forward to 174, another (! ipset.test) go to middle-vps

    what's the problem?



     
    Last edited: Mar 18, 2017
  4. blackantt

    blackantt Reformed Router Member

    sorry, I forgot something. middle-vps, target-vps are all VPN server. the routing is following
    2.jpg
    incoming package from pc of middle vps will be decrypted, Can I do a selection after the package is decrypted, then forward apart of them to vpn2 server? which chain can I do a selection?
     
  5. eibgrad

    eibgrad Network Guru Member

    One of the common traits I see in your posts is this tendency to get into the details of the plumbing before ever explaining the big picture. You started off w/ all this talk about DNAT/SNAT, and now we're dealing w/ multiple OpenVPN servers, VPSes, etc.

    This is why so few ppl respond. They (like me) get lost in a sea of details without having a clue what you're trying to accomplish.

    So PLEASE, explain the problem you're trying to solve, IN PLAIN ENGLISH! I don't care about the plumbing. Unless I can understand the problem being solved, the plumbing is just a distraction. Heck, your proposed solution may be entirely wrong. But no one can know one way or the other until they understand what the problem is.
     
  6. blackantt

    blackantt Reformed Router Member

    yes, it's my fault. because I can't describe all of things clearly. I'm a newbie trying to solve troubles with complex iptables, router and tools. Most of them is far from my ability. :)
    someone gave me hint, now I have realized the failure root. before I wanted to match some info from encrypted package, now I have a new idea. I should do selection before the package goes through the vpn.

    sorry to confused description
     

Share This Page