Ok, i'm still working on creating a dmz'd http server
So now I have an ethernet tunnel using ssh -w 0:0 and I have interfaces on each end which can talk to each other:
So now I'm grappling with getting this http server to be visible to the outside net. Here is the complete setup
So I create a new ec2 instance and I run the setup:
source ./HOST scp -i green.pem server/* root@$HOST: ssh -i green.pem root@$HOST ./setup
it in turns runs the setup on the remote machine:
apt-get update apt-get install telnet echo 1 | tee /proc/sys/net/ipv4/ip_forward echo "PermitTunnel yes" >> /etc/ssh/sshd_config /etc/init.d/ssh restart
then I initiate the ssh connection:
sudo ./runserver $HOST:
HOST=$1 ssh -i green.pem root@$HOST -w 0:0 -o Tunnel=ethernet -o ServerAliveInterval=60
then inside of that ssh term I start routing the iptables forwarding:
##### # server routing # bring up the tap ifconfig tap0 up # route all traffic for 192.168.2.* through it ip route add 192.168.2.0/24 dev tap0 ##### # server iptables REMOTE_INTERNAL_IP=$1 iptables -F iptables -t nat -F ### end init firewall .. Start DMZ stuff #### # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o tap0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i tap0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Route incoming port to DMZ server 192.168.2.1 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8000 -j DNAT --to-destination 192.168.2.1:8000 iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to $REMOTE_INTERNAL_IP ### End DMZ .. Add other rules ###
finally on the client i add the routes and port forwarding
########## # client HOST=$1 # bring up the tap ifconfig tap0 up # put an ip on it so we can listen ifconfig tap0 192.168.2.1 # add an explicit route for our ssh ip route add $HOST via 192.168.1.1 dev eth0 # make the tap the default routing ip route replace default dev tap0 # remove the default link #ip route del 192.168.2.0/24 dev tap0 proto kernel scope link src 192.168.2.1
and I start the web server
python -m SimpleHTTPServer
when I do a telnet 192.168.2.1 from either server it passes through fine. but if I do a telnet to $THE_REAL_IP it does not work.
if I put a MASQUERADE iptables rule, then it functions fine, but I'm doing to this to avoid MASQUERADE. I want to have the origin IP stay on the packet.
Any ideas what I'm doing wrong?
-----
more information
-----
Ok so now I have tried a whole lot more sets of attempts. And still nothing works.
The one I thought might work would be adding this to the client:
# these should route packets back to tap0 ip rule add from 192.168.2.0/24 table 42 ip route add default dev tap0 table 42
Because this should put a forced rule for everything that is written for 192.168.2.1 should go back through that tap0 interface. But it doesn't work unfortunately.
Also I tried associating an ip with the tap0 on the remote side.
ifconfig tap0 192.168.2.5
And this seems interesting because now I don't need to set up routing, the system seems to do it almost automatically:
##### # server routing # bring up the tap ifconfig tap0 192.168.2.5 ifconfig tap0 up # route all traffic for 192.168.2.* through it ip route add 192.168.2.0/24 dev tap0 ##### # server iptables iptables -F iptables -t nat -F # forward traffic between DMZ and LAN iptables -A FORWARD -i eth0 -o tap0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i tap0 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Route incoming port to DMZ server 192.168.2.1 iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8000 -j DNAT --to-destination 192.168.2.1:8000 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE ### End Server #### ############################# ############################# ########## # client echo 1 | tee /proc/sys/net/ipv4/ip_forward # bring up the tap ifconfig tap0 up # put an ip on it so we can listen ifconfig tap0 192.168.2.1 # these should route packets back to tap0 # but they actually don't make any difference #ip rule add from 192.168.2.0/24 table 42 #ip route add default dev tap0 table 42