@@@@@@@ @@@ @@@@@@@ @@@ @@@@@@ @@@@@@@@@@ @@@@@@@@@@ @@@ @@@ @@@
@@! @@@ @@! @@! @@! @@! @@@ @@! @@! @@! @@! @@! @@! @@! @@!@!@@@
@!@!@!@ !!@ @!! !!@ @!@!@!@! @!! !!@ @!@ @!! !!@ @!@ !!@ @!@@!!@!
!!: !!! !!: !!: . .!! !!: !!! !!: !!: !!: !!: !!: !!: !!!
:: : :: : : ::.:: : : : : : : : : :: :
Sun Apr 11 22:45:58 2021
Recalling Throw Away Your Router, the router and NAT setup was still available on the machine used to configure the APU. Keeping the configuration around has been valueable as there are often other headless or unconfigured devices that need a wired connection, e.g. raspberry pis.
My team was about to deploy our vulnerability management solution to a remote site. To test that it worked properly, it was handed off to perform a scan of my home network. Scans worked as expected; the team wanted to make some last minute changes to the depoyment via ansible, they needed to access it via SSH. How can a port forwarded on the router / firewall, get through a second NAT?
As a refresher, the current router at 10.0.0.1 is utilzing iptables and performing DNAT port forwarding already. This is what is currently in the nat table:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:ssh to:10.0.0.3:22
Applied via:
# iptables -A PREROUTING -p tcp -m tcp -i ${WAN_INTERFACE} --dport 22 -j DNAT --to-destination 10.0.0.3:22
This allows SSH, TCP/22 from the internet to land on host 10.0.0.3.
The desktop host at 10.0.0.10 has two interfaces with addresses:
The wired interface eth0 is handing out DHCP addresses in the 192.168.0.1/24 address space via dnsmasq.
Since TCP/22 is currently taken on the router and being forwarded to 10.0.0.3, lets use TCP/2022 instead.
Remember the NAT table above from the router, lets add another rule to it:
# iptables -A PREROUTING -p tcp -m tcp -i ${WAN_INTERFACE} --dport 2022 -j DNAT --to-destination 10.0.0.10:2022
Ensuring it applied:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:ssh to:10.0.0.3:22
DNAT tcp -- anywhere anywhere tcp dpt:2022 to:10.0.0.10:2022
On the 10.0.0.10 host, the kernel needs to be instructed to forward traffic to port TCP/2022 onwards to our destination address 192.168.0.9 and specified port.
# iptables -A PREROUTING -t nat -i wlan0 -p tcp --dport 2022 -j DNAT --to 192.168.0.9:22
As well as be instructed to ACCEPT the traffic.
# iptables -A FORWARD -p tcp -d 10.0.0.10 --dport 2022 -j ACCEPT
Ensure these applied, this time in two different tables: nat as well as filter.
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
DNAT tcp -- anywhere anywhere tcp dpt:2022 to:192.168.0.9:22
# iptables -t filter -L
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere sugo tcp dpt:2022
Obligatory ascii networking graphic:
wlan0: 10.0.0.10/24 eth0: 192.168.0.9/24
+---------+ (((o))) <--TCP/2022--> (((o))) +---------+ +--------+
| Alix | | | | Desktop | wired | Vuln |
Internet <--TCP/2022--> | / |-----+ +-----| Machine | <--TCP/22--> | Mgmt |
| Router | | | connection | Device |
+---------+ +---------+ | +--------+
eth0: 192.168.0.1/24 <-+
@nullanvoid