Dynamic IP from the provider, and port forwarding in iptables
Hello, dear habrovchane.
Surely many of you, like me, faced the very problem when we need to push the port (s) through Iptables to our virtual / physical machines with you, but our provider gives us a real (not gray) dynamic IP address, such as in cases of VPN or PPPoE.
I have PPPoE, and the IP is changed by the provider every three days. In this case, the test server should always be available regardless of what my external IP is.
')
I propose my own solution to this problem.
So, we have: a server on Ubuntu 10.04: (Linux nwserver 2.6.32-40-server # 87-Ubuntu SMP Tue Mar 6 02:10:02 UTC 2012 x86_64 GNU / Linux, iptables v1.4.4) and the second server, to which we should prokinut ports.
Our actions:
1.) Create a file that will be needed by the script for work (you can call as you please, only in the script, do not forget to reassign it then) . It will be recorded our dynamic real IP and used by the script.
2. Now we write the script, I called him 0iptup:
3.) The script is executable: chmod + x 0iptup
We place it in the /etc/init.d/ folder, then we give it permission to download using update-rc.d: update-rc.d 0iptup defaults
Create a symbolic link to it in /etc/ppp/ip-up.d/
4.) In the same place, in /etc/init.d/ we create the second script 0iptdown:
Make it executable, give it permission to load with update-rc.d: update-rc.d 0iptdown defaults
Create a symbolic link to it in /etc/ppp/ip-down.d/
The rules for iptables are different for everyone, specify the path to your configuration file, but do not forget to specify the permission to the ports being asked in the filter table in it:
How it works in practice: when the ppp0 interface is picked up, the script automatically runs, adds the rules to the firewall table exactly until the ppp0 interface is active, once it is deactivated, the script returns the settings to the original ones, which is very convenient for a dynamic IP address .
Then, using dyn-dns, no-ip, or whatever you like, you can always access your virtual \ test machines.
Possible disadvantages: if you have, say, a VPN server on a combat machine, and people get ppp1, ppp2, etc. from it, and the connection with the provider fails, but at the moment someone will take the ppp0 interface - Probros happen on your client.
This is the fruit of the half-weekly torment and smoking of man iptables.
Additions and improvements are welcome.
Surely many of you, like me, faced the very problem when we need to push the port (s) through Iptables to our virtual / physical machines with you, but our provider gives us a real (not gray) dynamic IP address, such as in cases of VPN or PPPoE.
I have PPPoE, and the IP is changed by the provider every three days. In this case, the test server should always be available regardless of what my external IP is.
')
I propose my own solution to this problem.
So, we have: a server on Ubuntu 10.04: (Linux nwserver 2.6.32-40-server # 87-Ubuntu SMP Tue Mar 6 02:10:02 UTC 2012 x86_64 GNU / Linux, iptables v1.4.4) and the second server, to which we should prokinut ports.
Our actions:
1.) Create a file that will be needed by the script for work (you can call as you please, only in the script, do not forget to reassign it then) . It will be recorded our dynamic real IP and used by the script.
touch /tmp/ip_old2. Now we write the script, I called him 0iptup:
IPT="/sbin/iptables -v"
REAL_IP=`cat /tmp/ip_old`
#
VSERV_IP=192.168.200.2
# , , 80 81 , -
$IPT -t nat -A PREROUTING -d $REAL_IP -p tcp -m tcp --dport 81 -j DNAT --to-destination $VSERV_IP:80
$IPT -t nat -A POSTROUTING -d $VSERV_IP -p tcp -m tcp --dport 81 -j SNAT --to-source $REAL_IP
# , , ssh,
$IPT -t nat -A PREROUTING -d $REAL_IP -p tcp -m tcp --dport 22 -j DNAT --to-destination $VSERV_IP:22
$IPT -t nat -A POSTROUTING -d $VSERV_IP -p tcp -m tcp --dport 22 -j SNAT --to-source $REAL_IP
# , ( )
# IP ppp0, ,
ip addr show ppp0 | grep "inet" | grep "peer" | awk '{print $2}' > /tmp/ip_old
#
REAL_IP=`cat /tmp/ip_old`
3.) The script is executable: chmod + x 0iptup
We place it in the /etc/init.d/ folder, then we give it permission to download using update-rc.d: update-rc.d 0iptup defaults
Create a symbolic link to it in /etc/ppp/ip-up.d/
4.) In the same place, in /etc/init.d/ we create the second script 0iptdown:
#!/bin/sh
iptables-restore < /etc/iptables.up.rules
Make it executable, give it permission to load with update-rc.d: update-rc.d 0iptdown defaults
Create a symbolic link to it in /etc/ppp/ip-down.d/
The rules for iptables are different for everyone, specify the path to your configuration file, but do not forget to specify the permission to the ports being asked in the filter table in it:
*filter
-A FORWARD -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -i ppp0 -p tcp -m tcp --dport 81 -j ACCEPT
COMMIT
How it works in practice: when the ppp0 interface is picked up, the script automatically runs, adds the rules to the firewall table exactly until the ppp0 interface is active, once it is deactivated, the script returns the settings to the original ones, which is very convenient for a dynamic IP address .
Then, using dyn-dns, no-ip, or whatever you like, you can always access your virtual \ test machines.
Possible disadvantages: if you have, say, a VPN server on a combat machine, and people get ppp1, ppp2, etc. from it, and the connection with the provider fails, but at the moment someone will take the ppp0 interface - Probros happen on your client.
This is the fruit of the half-weekly torment and smoking of man iptables.
Additions and improvements are welcome.
Source: https://habr.com/ru/post/140959/
All Articles