Category Archives: Non classé

iptables FORWARD with and without NAT

Simple forward from network 192.168.0.0/24 to network 172.16.0.0/24. GW 192.168.0.1 and 172.16.0.1

iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -d 172.16.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/24 -d 192.168.0.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT

On the gateway tcpdump will show:

05:58:48.316239 IP 192.168.0.22 > 172.16.0.33: ICMP echo request, id 1, seq 2193, length 40
05:58:48.349553 IP 172.16.0.33 > 192.168.0.22: ICMP echo reply, id 1, seq 2193, length 40

Forward from network 192.168.0.0/24 to network 172.16.0.0/2 and source nating:

iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -d 172.16.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 172.16.0.0/24 -d 192.168.0.0/42 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -d 172.16.0.0/2 -j MASQUERADE

On the gateway tcpdump will show:

05:58:48.316239 IP 172.16.0.1 > 172.16.0.33: ICMP echo request, id 1, seq 2193, length 40
05:58:48.349553 IP 172.16.0.33 > 172.16.0.1: ICMP echo reply, id 1, seq 2193, length 40

SSL certificates with letsencrypt

Get it

cd /opt
git clone https://github.com/letsencrypt/letsencrypt.git
cd letsencrypt

Generate certificates

./letsencrypt-auto certonly --webroot -w /var/www/domain.com/web/ -d domain.com -d www.domain.com

Result, certificates are here:

/etc/letsencrypt/live/domain.com/

Config web server:

ssl on;
ssl_certificate /etc/letsencrypt/live/domain.com/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

Restart web server.
Add cron task to automate certificate renewal:

00 00 1 * * /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /var/www/domain.com/ -d domain.com -d www.domain.com >> /var/log/letsencrypt_domain.com.log