Browse Source

finish the article

products
Nico Schottelius 3 years ago
parent
commit
5bdf5d30df
  1. 130
      content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr

130
content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr

@ -6,9 +6,9 @@ author: ungleich
---
twitter_handle: ungleich
---
_hidden: yes
_hidden: no
---
_discoverable: no
_discoverable: yes
---
abstract:
How to redirect traffic from all (tcp/udp) ports to another port.
@ -16,111 +16,83 @@ And why one would want to do that...
---
body:
## The problem
Let's say you have a service running on a specific port, for instance
[wireguard](https://www.wireguard.com/) on **port 51820**, but you
would like to accept packets on **any** port and have it received by
your application.
As you might know we are [big fans of
nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/),
so we will use nftables to achieve this goal.
## Why would one want this?
There are a variety of reasons for doing this, including the
"because we can" case. However at
[ungleich](https://ungleich.ch) we have a real world use case: We
provide an [IPv6 VPN](https://ipv6vpn.ch) as a service to our
customers. This service is based on wireguard and is configured to
listen on port 51820.
## Motivation
Sometimes networks (like hotels or airports) block or filter
outgoing traffic and thus prevent our customers to be connected by
IPv6. Obviously this is not what we or our customers want.
outgoing traffic and thus prevent you to connect to where you want to
connect to.
Here at [ungleich](https://ungleich.ch) we are travelling quite a lot,
but we always want to be able to access the servers of
[Data Center Light](https://datacenterlight.ch), so that we can
maintain them from everywhere in the world, so we needed a way to
ensure that we have some way of connecting to them, even if the
network disallows traffic to the ssh port (tcp/22).
## A solution based on nftables
As you might know we are
[big fans of
nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/)
and this hotel/airport problem motivated us to once again checkout
what we can achieve just with nftables.
Typically these networks will still allow outgoing traffic on
*some ports*, but we don't know *which ports*.
Thus we will enable wireguard on *all ports*. Simple idea, isn't it?
So instead of guessing which port we should bind SSH to,
we will just use nftables to make ssh available on
*all TCP ports*. Simple idea, isn't it?
## How it works
To achieve our goal we need to tell nftables to take the traffic that
goes to any port that is not our target port, to be redirected to our
target part. If you have other services running on the host, you might
want to adjust this logic.
In nftables we have a lot of freedom naming and creating our own
chains
TO FIX HERE
ALSO maybe include only incoming packets modification or is it part of prerouting?!
want to adjust this logic though (see below). The following
nftables snippet will already do the job:
```
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
udp dport != 51820 jump vpnredirect
}
type nat hook prerouting priority 0;
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
tcp dport != 22 redirect to 22
}
chain postrouting {
type nat hook postrouting priority 0;
}
chain vpnredirect {
udp dport != 51820 redirect to :51820
}
}
```
## More sophisticated
You can save this as nftables.conf and run
```
[17:51:31] vpn-2a0ae5c1:~# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority -101;
# SSH works
#tcp dport != 22 redirect to 22
nft -f nftables.conf
```
# wireguard doesn't
#udp dport != 51820 redirect to 51820
#
tcp dport != 22 jump port_redirect
udp dport != 51820 jump port_redirect
}
to see it working on your system.
chain port_redirect {
counter comment "redirecting"
log prefix "port redir: "
After applying this, we can use `ssh -p <port>` to choose any port and
connect to our server:
# SSH works
tcp dport != 22 redirect to 22
```
ssh -p 80 serverX.placeY.ungleich.ch
```
# wireguard doesn't
udp dport != 51820 redirect to 51820
## Using specific ranges or ports only
}
If you have other services running on the system, you might want to
restrict the ports to be used for ssh. You can either use **sets**
(nftables syntax: *{ a, b, c, ... }*) or **intervals**
(nftables syntax: *X - Y*) as follows.
chain postrouting {
type nat hook postrouting priority -101;
counter comment "other side nat"
log prefix "port post-redir: "
}
}
```
tcp dport 2000-4000 redirect to :ssh
tcp dport {23, 25, 80, 443 } redirect to :ssh
```
## More of it?
## List of sites
You find the current list of sites on
[via-ipv6.com](https://via-ipv6.com). If you would like to have
another site added, just ping me on [IPv6.chat](https://IPv6.chat).
If you are interested in more of this, we invite you to join our
[open infrastructure chat on chat.ungleich.ch](https://chat.ungleich.ch).

Loading…
Cancel
Save