Redes de datos

Laboratorio Nro:4 NAT en GNU/Linux

Alumno: Javier Alejandro Gmez Bianchi
1- Suponga que S1 es un servidor que pertenece a una red publica a la cual no podemos llegar mediante
enrutamiento. Es decir que S1 no sabe que existe PC1 ya que esta tiene una IP del rango privado. Para
llegar hacia la red externa PC1 usa a su default gateway que es r1. Verificar que efectivamente PC1 no
puede llegar con ping a el servidor S1. Capture los paquetes en S1 y determine si los paquetes de echo
request estn llegando.

2- Agregar en R1 reglas en iptables a la tabla Nat para poder llegar a S1. Ahora verifique nuevamente si
puede llegar con ping. Puede ver la regla y los contadores con el comando iptables -t nat -nvL.

root@R1:/tmp/pycore.44299/R1.conf# iptables -t nat -F

root@R1:/tmp/pycore.44299/R1.conf# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target

prot opt source

destination

Chain INPUT (policy ACCEPT)

target

prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target

prot opt source

destination

Chain POSTROUTING (policy ACCEPT)

target

prot opt source

destination

root@R1:/tmp/pycore.44299/R1.conf# iptables -t nat -A POSTROUTING -s 200.35.2.0/24 -o eth1 -j MASQUERADE

root@R1:/tmp/pycore.44299/R1.conf# iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -o eth0 -j MASQUERADE
root@R1:/tmp/pycore.44299/R1.conf# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target

prot opt source

destination

Chain INPUT (policy ACCEPT)

target

prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target

prot opt source

destination

Chain POSTROUTING (policy ACCEPT)

target

prot opt source

destination

MASQUERADE all -- 200.35.2.0/24

0.0.0.0/0

MASQUERADE all -- 172.16.1.0/24

0.0.0.0/0

root@R1:/tmp/pycore.44299/R1.conf#

root@R1:/tmp/pycore.44299/R1.conf# iptables -A INPUT -s 200.35.2.0/24 -p icmp --icmp-type echo-request -j ACCEPT

root@R1:/tmp/pycore.44299/R1.conf# iptables -A INPUT -s 172.16.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
root@R1:/tmp/pycore.44299/R1.conf#
root@R1:/tmp/pycore.44299/R1.conf# iptables -L
Chain INPUT (policy ACCEPT)
target

prot opt source

destination

ACCEPT

all -- anywhere

anywhere

state RELATED,ESTABLISHED

ACCEPT

tcp -- anywhere

anywhere

tcp dpt:ssh

DROP

all -- anywhere

anywhere

ACCEPT

icmp -- 200.35.2.0/24

anywhere

icmp echo-request

ACCEPT

icmp -- 172.16.1.0/24

anywhere

icmp echo-request

Chain FORWARD (policy ACCEPT)

target

prot opt source

destination

Chain OUTPUT (policy ACCEPT)

target

prot opt source

ACCEPT

udp -- anywhere

destination
anywhere

root@R1:/tmp/pycore.44299/R1.conf#

udp spt:ssh

3- Acceda a S1 por ssh desde PC2. Capture el trafico con Wireshark tanto en la interfaz eth0 y eth1 de
R1, como en la interfaz eth0 de S1. Identifique los paquetes correspondientes al acceso ssh en cada caso.

ssh - eth1 R1

ssh - eth0 R1

ssh - eth0 - S1

4- Verifique que inicie ssh en PC1 y mediante Destination NAT en R1 permita el acceso por shh desde
S1 a PC1.

root@R1:/tmp/pycore.43901/R1.conf# iptables -t nat -L -n

Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
root@R1:/tmp/pycore.43901/R1.conf# iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth1 -j DNAT --to 200.35.2.45
root@R1:/tmp/pycore.43901/R1.conf# iptables -t nat -A PREROUTING -p tcp --dport 22 -i eth0 -j DNAT --to 172.16.1.20
root@R1:/tmp/pycore.43901/R1.conf# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source
destination
DNAT
tcp -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22 to:200.35.2.45
DNAT
tcp -- 0.0.0.0/0
0.0.0.0/0
tcp dpt:22 to:172.16.1.20
Chain INPUT (policy ACCEPT)
target prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target prot opt source
destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source
destination
root@R1:/tmp/pycore.43901/R1.conf#

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:42:56.316333 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [S], seq 1808554993, win 29200, options [mss 1460,sackOK,TS val 3250807 ecr
0,nop,wscale 7], length 0
17:42:56.316415 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [S.], seq 53847098, ack 1808554994, win 28960, options [mss 1460,sackOK,TS val 3250807
ecr 3250807,nop,wscale 7], length 0
17:42:56.316566 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 1, win 229, options [nop,nop,TS val 3250807 ecr 3250807], length 0
17:42:56.318847 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 1:44, ack 1, win 229, options [nop,nop,TS val 3250808 ecr 3250807], length 43
17:42:56.318904 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 44, win 227, options [nop,nop,TS val 3250808 ecr 3250808], length 0
17:42:56.339762 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 1:44, ack 44, win 227, options [nop,nop,TS val 3250813 ecr 3250808], length 43
17:42:56.339971 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 44, win 229, options [nop,nop,TS val 3250813 ecr 3250813], length 0
17:42:56.341137 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 44:2012, ack 44, win 229, options [nop,nop,TS val 3250813 ecr 3250813], length
1968
17:42:56.341192 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2012, win 257, options [nop,nop,TS val 3250814 ecr 3250813], length 0
17:42:56.341795 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 44:1652, ack 2012, win 257, options [nop,nop,TS val 3250814 ecr 3250813], length
1608
17:42:56.341946 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 1652, win 254, options [nop,nop,TS val 3250814 ecr 3250814], length 0
17:42:56.362348 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2012:2060, ack 1652, win 254, options [nop,nop,TS val 3250819 ecr 3250814],
length 48
17:42:56.401009 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2060, win 257, options [nop,nop,TS val 3250829 ecr 3250819], length 0
17:42:56.430140 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 1652:2276, ack 2060, win 257, options [nop,nop,TS val 3250836 ecr 3250819],
length 624
17:42:56.449514 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2060:2076, ack 2276, win 276, options [nop,nop,TS val 3250841 ecr 3250836],
length 16
17:42:56.449581 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2076, win 257, options [nop,nop,TS val 3250841 ecr 3250841], length 0
17:42:56.449764 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2076:2128, ack 2276, win 276, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.449790 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2128, win 257, options [nop,nop,TS val 3250841 ecr 3250841], length 0
17:42:56.449908 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2276:2328, ack 2128, win 257, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.450108 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2128:2196, ack 2328, win 276, options [nop,nop,TS val 3250841 ecr 3250841],
length 68
17:42:56.450986 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2328:2380, ack 2196, win 257, options [nop,nop,TS val 3250841 ecr 3250841],
length 52
17:42:56.489347 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2380, win 276, options [nop,nop,TS val 3250851 ecr 3250841], length 0
17:42:59.619196 IP6 fe80::e0f7:60ff:fe87:1f33.5353 > ff02::fb.5353: 0 [2q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ipp._tcp.local. (45)
17:43:01.325319 ARP, Request who-has 200.35.2.45 tell 200.35.2.1, length 28
17:43:01.325361 ARP, Reply 200.35.2.45 is-at 00:00:00:aa:00:00, length 28
17:43:02.052559 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2196:2344, ack 2380, win 276, options [nop,nop,TS val 3252241 ecr 3250841],
length 148
17:43:02.089071 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2344, win 280, options [nop,nop,TS val 3252251 ecr 3252241], length 0
17:43:02.188872 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2380:2416, ack 2344, win 280, options [nop,nop,TS val 3252275 ecr 3252241],
length 36
17:43:02.189092 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2416, win 276, options [nop,nop,TS val 3252276 ecr 3252275], length 0
17:43:02.191637 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2344:2464, ack 2416, win 276, options [nop,nop,TS val 3252276 ecr 3252275],
length 120
17:43:02.191687 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2464, win 280, options [nop,nop,TS val 3252276 ecr 3252276], length 0
17:43:02.526081 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2416:2468, ack 2464, win 280, options [nop,nop,TS val 3252360 ecr 3252276],
length 52
17:43:02.526510 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [P.], seq 2464:2856, ack 2468, win 276, options [nop,nop,TS val 3252360 ecr 3252360],
length 392
17:43:02.526573 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [.], ack 2856, win 303, options [nop,nop,TS val 3252360 ecr 3252360], length 0
17:43:02.529565 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2468:2576, ack 2856, win 303, options [nop,nop,TS val 3252361 ecr 3252360],
length 108
17:43:02.530774 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2576:2740, ack 2856, win 303, options [nop,nop,TS val 3252361 ecr 3252360],
length 164
17:43:02.531072 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2740, win 299, options [nop,nop,TS val 3252361 ecr 3252361], length 0
17:43:02.872265 IP 200.35.2.45.22 > 172.16.1.21.34366: Flags [P.], seq 2740:2792, ack 2856, win 303, options [nop,nop,TS val 3252446 ecr 3252361],
length 52
17:43:02.909209 IP 172.16.1.21.34366 > 200.35.2.45.22: Flags [.], ack 2792, win 299, options [nop,nop,TS val 3252456 ecr 3252446], length 0

5- Como puedo hacer mediante Destination NAT para acceder desde S1 tanto al servidor ssh de PC1
como de PC2?.
Se puede acceder a PC1 y PC2 enmascarando la red (MASQUERADE).
Ej:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE