Bliepo
Posts: 15
Joined: Sun Dec 23, 2012 11:29 pm

IPtables help

Mon Aug 20, 2018 6:22 pm

Hello everybody!

I'm in desperate need of some iptables help - this problem has had me stumped for hours. The situation is as follows:
Image

I have a raspberry pi that is connected to the network using the onboard ethernet and an additonal USB ethernet adapter. This USB ethernet adapter is connected to a security camera and I'd like to 'redirect' VPN traffic and traffic from the onboard ethernet connection that has port 443 as a destination to the security camera. Now I do have some experience with iptables, but it has been quite some time since I last had to work with it and I just can't seem to figure it out.

I have the following iptables script:

Code: Select all

#!/bin/sh
LAN_IP="192.168.1.2"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="enxb827eb75ecc0"

FOSCAM_IP="192.168.0.3"
FOSCAM_GATEWAY="192.168.0.1"
FOSCAM_IP_RANGE="192.168.0.0/24"
FOSCAM_IFACE="eth0"

TUN_IP="10.7.0.1"
TUN_IP_RANGE="10.7.0.0/24"
TUN_IFACE="tun0"

LO_IP="127.0.0.1"
LO_IFACE="lo"

IPTABLES="/sbin/iptables"


###
# INPUT CHAIN
###
$IPTABLES -A INPUT -d $FOSCAM_IP_RANGE -i $FOSCAM_IFACE -j ACCEPT
$IPTABLES -A INPUT -d $LAN_IP -i $LAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -d $LAN_IP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

###
# FORWARD CHAIN
###
$IPTABLES -A FORWARD -s $FOSCAM_IP_RANGE -i $FOSCAM_IFACE \
    -o $LAN_IFACE -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $TUN_IFACE \
    -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -s $TUN_IP_RANGE -o $FOSCAM_IFACE -j ACCEPT
$IPTABLES -A FORWARD -s $TUN_IP_RANGE -o $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $FOSCAM_IFACE -o $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $FOSCAM_IFACE -j ACCEPT
$IPTABLES -A FORWARD -d $LAN_IP -i $LAN_IFACE -o $FOSCAM_IFACE \
    -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -d $LAN_IP -i $LAN_IFACE -o $FOSCAM_IFACE \
    -p udp -m udp --dport 443 -j ACCEPT

###
# PREROUTING chain
###
$IPTABLES -t nat -A PREROUTING -d $LAN_IP -i $LAN_IFACE -p tcp -m tcp \
    --dport 443 -j DNAT --to-destination $FOSCAM_IP
$IPTABLES -t nat -A PREROUTING -d $TUN_IP -i $TUN_IFACE -p tcp -m tcp \
    --dport 443 -j DNAT --to-destination $FOSCAM_IP

###
# POSTROUTING
###
#$IPTABLES -t nat -A POSTROUTING -o $LAN_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $TUN_IP_RANGE -o $FOSCAM_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $TUN_IP_RANGE -o $LAN_IFACE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -o $FOSCAM_IFACE -j SNAT --to-source $LAN_IP
$IPTABLES -t nat -A POSTROUTING -o $FOSCAM_IFACE -j MASQUERADE
In case it's needed, the output from ifconfig:

Code: Select all

enxb827eb75ecc0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::ba27:ebff:fe75:ecc0  prefixlen 64  scopeid 0x20<link>
        ether b8:27:eb:75:ec:c0  txqueuelen 1000  (Ethernet)
        RX packets 134151  bytes 122072297 (116.4 MiB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 122913  bytes 86904086 (82.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.1  netmask 255.255.255.255  broadcast 0.0.0.0
        ether 64:d1:a3:2d:bb:ba  txqueuelen 1000  (Ethernet)
        RX packets 149088  bytes 9895034 (9.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 165118  bytes 15978497 (15.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 20020  bytes 1399537 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20020  bytes 1399537 (1.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.7.0.1  netmask 255.255.255.255  destination 10.7.0.2
        inet6 fe80::951d:fad8:3087:6135  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1534  bytes 110815 (108.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 757  bytes 106364 (103.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

SurferTim
Posts: 1764
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: IPtables help

Mon Aug 20, 2018 9:17 pm

I don't see where you need iptables. This is a routing thing. Insure you have allowed ip forwarding.
Edit /etc/sysctl.conf and uncomment

Code: Select all

net.ipv4.ip_forward=1
That should allow most devices access to the camera, except "other devices" connected to the router. You will need to route that in the router.

Bliepo
Posts: 15
Joined: Sun Dec 23, 2012 11:29 pm

Re: IPtables help

Sun Oct 14, 2018 11:10 am

I checked my /etc/sysctl.conf and I already had forwarding enabled, so that's not the problem.

SurferTim
Posts: 1764
Joined: Sat Sep 14, 2013 9:27 am
Location: Miramar Beach, Florida

Re: IPtables help

Sun Oct 14, 2018 12:10 pm

Maybe this will work. To port forward

Code: Select all

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.3:443

Return to “Networking and servers”