Foward traffic (filter by source ip and dst port) to other public ip

Check it on Gist: https://gist.github.com/richardevs/355d24b25f6c19b698b7134504843dc6

# run all these on the bastion vm
# iptables can not directly route traffic to public ip ( in my test )
# so I insert a socat here to help get the job done

iptables -t nat -F # flush all the current NAT rule ( be careful )
iptables -t nat -A PREROUTING -s 1.1.1.1 -p tcp --dport 443 -j DNAT --to-destination :4433 # all traffic to port 443 from 1.1.1.1 get routed to port 4433
iptables -t nat -A POSTROUTING -j MASQUERADE # let iptables do the NAT work
iptables -t nat -nL # double check if iptables are correctly showing the rules

nohup socat TCP4-LISTEN:4433,reuseaddr,fork TCP4:2.2.2.2:443 & # use socat to forward traffic to final destination, in the demo here, 2.2.2.2:443

【GPG Key Rotation Notice】

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B 已停止使用並遞交 Revoke
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– 新舊 Key 之間存在相互簽名
– Keybase 情報已同步更新
– 新 Key 主要使用 SubKey 進行簽名,SubKey 四年有效期,MasterKey 永久有效

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B has ceased operation and revoked
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– They are cross-signed
– Keybase has all the updated information
– Future operations will mainly be using the SubKey with 4-year validity, while MasterKey never expires

最近感覺被掃描,TCP 通信模式固定如下:

SYN -> PUSH -> FIN

跟正常的通信比對後,發現正常的通信會在所有 TCP 包中帶上 OPTIONS,而不會像這裡一樣只有 SYN 包加了 OPTIONS,而且這個 OPTIONS 值永遠不變。不知道能不能拿這個 OPTIONS 做攔截參數。

Flags [S], seq 1799944867, win 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0
Flags [.], ack 4104578379, win 16384, length 0
Flags [P.], seq 0:32, ack 1, win 517, length 32
Flags [.], ack 2, win 517, length 0
Flags [F.], seq 205, ack 2, win 517, length 0