iptables conundrum

Shocco · September 2, 2014, 4:52pm

Ok, if youre reading this prepare yourself.(debian based os)

so im trying to do this routing with ip tables, i need to forward/SNAT traffic from 192.168.111.1 to 10.10.10.250, the 192.x.x.x ips are being shoved into a honeyd like program called inetsim so its offline, 10.10.10.125 is connected to the internet, how do i get the traffic from 192.168.111.4 to 10.10.10.250:41004?

and i need it to at least be a specified port range for 192.168.111.4 since the ports vary from 49100-50000.

ive tried a lot of different iptables only to be thwarted many times. i got it working one time but i broke it somehow and i dont know how i did that.

please help! if you need to see my current/old rules let me know. i can sanitize them rather quickly

neutronscott · September 2, 2014, 5:53pm

you say 192.168.111.1 but then 192.168.111.4. There's a range? Can you better describe what's happening?

You must also account for traffic in both directions.
SNAT from 192.168.111.1 to 10.10.10.250
DNAT from 10.10.10.250 to 192.168.111.1

Shocco · September 2, 2014, 6:23pm

sorry! the first set of numbers is supposed to be 192.168.222.4, more to add would be that 192.168.222.2 is the gateway and dns of 192.168.222.4

and yes there is a port range. i think thats only the case if it cant connect the the server on 10.10.10.250. but the program i need to use eats all traffic that isnt needed.

so in turn its 10.10.10.250 being the reporting box, 10.10.10.125 being the connection live to the web to hit said reporting box, and 192.168.222.2 being the gateway/dns server of 192.168.222.4.

192.168.222.4 > 192.168.222.2 > 10.10.10.125 > 10.10.10.250

i say this because the last time i had it working it showed 10.10.10.125 as the address for 192.168.222.4(i assume thats masquerading) on the reporting box, and in the inetsim config file it says what ip should be used if inetsim will act as a router for certain traffic

This is a malware traffic analysis box. so it needs to only have this one ip address allowed on this one port so that it can report findings of files run to said box.

the inetsim program also makes its own rules that are pretty annoying. at one point i had it telling me that it was established but wasnt showing activity on the destination server. and now its back to square one. let me know if you need more details. sorry for the typo!

and i have traffic from 10.10.10.250 already accepted, its from 192.168.222.2 that i cant get routed.

Shocco · September 12, 2014, 4:37pm

can you give me an example of how to do that? the way its setup in my environment is getting confusing