iptables Demystified - Port Redirection and Forwarding HTTP Traffic to another machine (part 1)

Поделиться
HTML-код
  • Опубликовано: 24 ноя 2024
  • НаукаНаука

Комментарии • 135

  • @zedzpan
    @zedzpan 3 года назад +25

    Iptables have always been a mystery and rather complicated. Thanks for demystifying it. Thank you for all your great content delivered with such enthusiasm!

    • @hnasr
      @hnasr  3 года назад +7

      Glad it helped ❤️

  • @DerrickHayden
    @DerrickHayden Год назад +2

    I've search all over the net for exactly this. Hours of searching and you're the only one covering iptables in this manner. Thank you.

  • @prophetjamz94
    @prophetjamz94 Месяц назад

    Studying for my LFCS exam right now and I just kept getting stuck on the commands. Thanks so much for explaining this

  • @Demodude123
    @Demodude123 3 года назад +3

    Thanks Hussein! This is a great tutorial! I work with docker/kubernetes and I never understood their complex iptable chains. I'll definitely keep watching this series to understand how container networks work

  • @russohc
    @russohc 7 месяцев назад

    Hussein! I've been trying to understand iptables for more than three months and you explained everything in less than 35 minutes in a super happy way!!! We want more hahaha, thanks for the video!

  • @matches0423
    @matches0423 5 месяцев назад

    Thanks for the video!! Clears a lot of things up for me. The bottleneck of using socat disappeared after I switched to iptables.

  • @Z3rgatul
    @Z3rgatul 5 месяцев назад

    This is the best format I could imagine to explain iptables. Many thanks

  • @m.m.4589
    @m.m.4589 3 года назад +4

    Wow man, I thought ip tables was complicated, but u nailed it. Great examples. Thanks for your hard work

  • @stolenidentity1152
    @stolenidentity1152 Год назад

    Perfect tone of voice. Funny and accurate. Kudos to you!

  • @90hijacked
    @90hijacked 2 года назад

    you're a good presenter, down to earth and seem genuinely enthusiastic. cheers :)
    It's always a pleasure seeing people learning and/or hacking about with the same topics as you

  • @fujinafiul6044
    @fujinafiul6044 2 года назад

    Oh man, you are the life saver.. very few dare to cover such boring topics with such excitement.. love you man ❤ you just saved me hours of work...❤

    • @jojojojola
      @jojojojola Год назад

      boring? its interesting af

  • @root1101
    @root1101 11 месяцев назад

    Thanks, that was rather useful. The lack of use cases in reference materials is aggravating.

  • @TaniaTebaldi
    @TaniaTebaldi 2 года назад

    Wow after hours searching iptables information, I am here, you're amazing teacher, thanks a lot! I'm working with mitmproxy in transparent mode for testing iot devices, tomorrow I will try to make my iptables. Greetings from Italy!

  • @dacoup5955
    @dacoup5955 Год назад

    Thank you so much, i'm going through a Kali tutorial for pen testing studies to eventually pass my OSCP, i love your delivery and an enthusiasm, much of this was glossed over because its a vast aspect of linux's opensource firewall and you have a clear and concise way of boiling it all down so i can wrap my head around its many functions and uses, currently working on port forwarding 80 HTTP traffic to sslstripper on port 8080 and i was curious what that process actually looks like behind the curtains ... Appreciate the feedback and i just subscribed.

  • @Kifter1983
    @Kifter1983 2 года назад

    Fantastic tutorial. I loved that you mentioned you wasted hours because of ip forwarding as exactly the same happened to me being a newb to ip tables ha!

  • @mathisart
    @mathisart 3 года назад

    Finally someone who understands this and explains it in a way that's understandable! Jesus bless you

  • @mishasawangwan6652
    @mishasawangwan6652 3 года назад +8

    beauuuutiful root permissions. beautiful. BEAUTIFUL.

    • @hnasr
      @hnasr  3 года назад +2

      So good !

  • @pratikdaigavane1111
    @pratikdaigavane1111 3 года назад +13

    sudo iptables -A OUTPUT -m statistic --mode random -p udp --probability 0.77 -j DROP
    Useful in an online class when professor asks you a question and you don't know the answer 😜

    • @hnasr
      @hnasr  3 года назад +7

      Evil 🦹‍♀️
      Will explain this in next episode! This is the filter table and Pratik here is dropping 77% of outgoing udp packets. So it forces video call to lag.

    • @pratikdaigavane1111
      @pratikdaigavane1111 3 года назад

      @@hnasr Can wait to watch next episode!!

  • @leo-phiponacci
    @leo-phiponacci 2 года назад +1

    It is really demystified like he said, thank you very much Hussein

  • @LuisReyes-mw3jo
    @LuisReyes-mw3jo 3 года назад +2

    Dude, AMAZING explination. Thank you so much. I've spent hours looking for the information like this. And you made it so easy to comprehend! THANK YOU SO MUCH. Keep the awesome work!!

  • @totti343
    @totti343 2 года назад +3

    Love the storytelling. Great video!

  • @AntonSokolov-i5k
    @AntonSokolov-i5k 4 месяца назад

    Thanks man!!! Topic makes sense now! Loved the way you presented, you got soul man 😎😎😎

  • @islem1263
    @islem1263 3 года назад +5

    If you press Ctrl+F5 you can force the browser to serve you a new non cached version

  • @yetanother7754
    @yetanother7754 3 года назад +2

    My Friend ... Amazing explanation .. Loved it! gonna recommend it to my friends

  • @EddyCaffrey
    @EddyCaffrey 3 года назад +2

    Iptables is great 👍🏾. Good explanation. Thanks 🙏🏾

  • @yashas8238
    @yashas8238 11 месяцев назад

    I liked how you stressed the important things, thks you saved me a lot of time!

  • @rightangleoverseas2391
    @rightangleoverseas2391 3 года назад +1

    This is pure value ! Thank you so much for this !

  • @pging8328
    @pging8328 Год назад

    hey mate, i appreciate your videos very much which you put on the internet.

  • @misterg4548
    @misterg4548 3 года назад +2

    Informative video. But there is also another approach to start an app and let is use the restricted ports without the root permission. The tool is called authbind.

  • @okekeebube1426
    @okekeebube1426 3 года назад

    Thanks for helping your viewers avoid hours of reading in just one video

  • @steamrangercomputing
    @steamrangercomputing Год назад

    Genuinely informative video. Great job!

  • @ChristianAltamiranoAyala
    @ChristianAltamiranoAyala 3 года назад +2

    Such a insightful video, congrats Hussain

    • @hnasr
      @hnasr  3 года назад

      Thanks 🙏

  • @OfferoC
    @OfferoC 3 года назад +1

    Very nice. Thank you. Keep these videos coming!

  • @saad.83
    @saad.83 3 года назад +2

    Very interesting to watch!

  • @pging8328
    @pging8328 Год назад

    hey man you saved me on the tip to to enable ip forwarding. I was literally about to smash my head against the computer

  • @mohamedhabas7391
    @mohamedhabas7391 3 года назад +6

    Yaaay finally Linux admin stuff 😍😍😍😍

  • @romans4471
    @romans4471 3 года назад

    Thank You very much! And it was a great idea to lowercase everything ( 07:00 ) o it became more meaningful.

  • @mdshehab8947
    @mdshehab8947 11 месяцев назад

    Absolutely amazing

  • @martinfurstenberg2281
    @martinfurstenberg2281 10 месяцев назад

    Thanks for the explanation. Awesome Job.👍

  • @phoenixray3512
    @phoenixray3512 3 года назад

    Very informative thank you for sharing, I will be waiting for more.

  • @yassirhassan2063
    @yassirhassan2063 3 года назад +2

    Great content, great person. proud of you man.

    • @hnasr
      @hnasr  3 года назад

      ❤️

  • @adamstrejcovsky8257
    @adamstrejcovsky8257 Год назад

    could not have been easier. thanks a lot

  • @bun4bun
    @bun4bun 2 года назад

    Just sent a donation on paypal for your efforts. Thanks a lot for the video.
    You saved me a lot of trouble :)

  • @totopops98
    @totopops98 Год назад

    nice . very clear way to explain !

  • @shashidharnagraj896
    @shashidharnagraj896 2 года назад

    Thank you very much, this video has helped me learn a lot.

  • @AshutoshKumardevx
    @AshutoshKumardevx 3 года назад +2

    Bro, you are awesome.

  • @syedtahaaziz2668
    @syedtahaaziz2668 Год назад +1

    Please also explain ip masquerade as well.

  • @mohamedhabas7391
    @mohamedhabas7391 3 года назад +2

    for ip forwarding
    #this injects the value to the kernel regardless of the destro
    echo 1 > /proc/sys/net/ipv4/ip_forward

  • @mohammedaris2338
    @mohammedaris2338 3 года назад +2

    Thank you @Hussein , i appreciate your video

    • @hnasr
      @hnasr  3 года назад

      ❤️

  • @robertphillips124714
    @robertphillips124714 2 года назад

    Great explanation. Thanks very much!!

  • @lajoskicsi6910
    @lajoskicsi6910 3 года назад

    Aweesome! Love this IP table course. I want to see more!

  • @ivanramadhan5185
    @ivanramadhan5185 3 года назад

    Thanks for the explanation, it's very helpful.

  • @bharadwaz7
    @bharadwaz7 10 месяцев назад

    one of the best video thanks a ton

  • @rahulcsaple
    @rahulcsaple 2 года назад

    Amazing explanation.

  • @jlxip
    @jlxip 3 года назад

    This video is absolutely outstanding. Thank you

  • @kaustubhmane8287
    @kaustubhmane8287 3 года назад +2

    way too cool video !!

  • @anisht1838
    @anisht1838 2 года назад

    Great work, great value, thank you so much.

    • @hnasr
      @hnasr  2 года назад

      Appreciate it!

  • @uwontlikeit
    @uwontlikeit 10 месяцев назад

    The best visualization of the NAT flow I saw so far, the only thing left a bit unclear is the way back, when server responds - how does it do backwards translation?

  • @conscium
    @conscium 2 года назад

    great video, helped me a lot and it was also entertaining
    peace

  • @bobsmithy3103
    @bobsmithy3103 10 месяцев назад

    informative and funny, good stuff

  • @autohmae
    @autohmae 3 года назад +4

    30:53 if you hate it, use the --numeric ( -n ) when listing my dear friend :-)
    PS You forgot to mention what to do after changing the config file.

    • @hnasr
      @hnasr  3 года назад

      😍 nice tip that should be the default though :p

    • @autohmae
      @autohmae 3 года назад +1

      @@hnasr I don't know why, but this is very common for lots of commands on Linux, Unix (thus Mac) and also Winows. -n is not the default for any of them. ping, traceroute, netstat, tcpdump, etc.

    • @hnasr
      @hnasr  3 года назад +2

      What is tcpdump? ;) :p

    • @autohmae
      @autohmae 3 года назад +1

      @@hnasr I feel some day you might do videos on tcpdump as well

  • @usamatahseenulhaque9125
    @usamatahseenulhaque9125 3 года назад +2

    Great video

  • @synchronizingsynchronize3066
    @synchronizingsynchronize3066 3 года назад

    creative explanation!

  • @alkklajslkdajlk
    @alkklajslkdajlk 2 года назад

    Thank you for your video :)

  • @PauloGervilla
    @PauloGervilla 2 года назад

    Just saved my life, thanks! Do I need to do something else to make this configuration persistent?

  • @azul2011ish
    @azul2011ish 3 года назад

    Awesome, I love linux!

  • @francisobwogo6366
    @francisobwogo6366 3 года назад

    Thanks. This works.

  • @kaczuszka-dt
    @kaczuszka-dt 2 года назад

    damn son, I love your content.

  • @johnmark2014
    @johnmark2014 3 года назад

    THANK YOUUUUU SOOO MUCHH!!!!

  • @osamaa.h.altameemi5592
    @osamaa.h.altameemi5592 3 года назад +4

    that was really smooth, thx a ton. Hussein are you aware of any implementations that do the processing thing on the NIC itself (talking about TOE NICs)?

  • @ehsanshadi810
    @ehsanshadi810 2 года назад

    Thanks bro

  • @thierryalbareda3860
    @thierryalbareda3860 2 года назад

    thanks, usefull.

  • @hsjsjssnnsjsjs1666
    @hsjsjssnnsjsjs1666 2 года назад

    Holy fuck I enjoyed watching this😂😂❤️

  • @ShueFig
    @ShueFig 3 года назад +2

    In the example for DNAT & SNAT, in the response from the computer at 192.168.1.3 back to the server, how does the server determine that this response is meant for the computer at 192.168.1.2? I'm assuming the response packet will be something like (192.168.1.3:80 | 10.0.0.2:1234) (sIP | dIP)?

    • @brod515
      @brod515 3 года назад

      It must be using the created ip tables. when the response (192.168.1.3.:80 | 10.0.0.2:1234) is received the server should remember (lookup) that it mapped dIP from 10.0.0.2 => 192.168.1.3 and changed the mapping from sIP 192.168.1.2 to come back to 10.0.0.2. so it should know that if I get a response from 192.168.1.3 , by checking the dIP that must have been a request intended for me that I redirected to 192.168.1.3. and if I check the sIP I can see that the stuff that was supposed to come back to 10.0.0.2 was initially intended to go back to 192.168.1.2

    • @hnasr
      @hnasr  3 года назад

      The computer at 192.168.1.3 only knows that the packet needs to go to 10.0.0.2 , its the responsibility of 10.0.0.2 to send it back to 192.168.1.2 thats the job of DNAT .. watch NAT video for more details
      ruclips.net/video/RG97rvw1eUo/видео.html

    • @ShueFig
      @ShueFig 3 года назад

      @@hnasr Yup, I actually was asking about how 10.0.0.2 knows to forward this packet back to 192.168.1.2, which I believe @MrBrN197 answered above.
      Thank you so much for making these videos btw, learnt a ton of new stuff :)

    • @ShueFig
      @ShueFig 3 года назад

      @@brod515 okay, I kind of figured it was some kind of reverse lookup, thank you! Do you know if there's a name or something I can google to know more about this process?

  • @edgarlip2
    @edgarlip2 5 месяцев назад

    @Husseein -
    ♦it looks like after the redirect - the packet is going straight to the process - but i know that is is passing the INPUT table before ... and u have omitted this hole important part !
    ♦REDIRECT example config - PREROUTING is used for incoming traffic from the out side of the machine ( which u used ) , and "-t nat -I OUTPUT" is used to handle traffic that is originated
    from the local machine - why did u decided to use the "PREROUTING " ?

  • @kallingal1662
    @kallingal1662 4 месяца назад

    Super

  • @ebu7
    @ebu7 2 года назад

    Assalamualaikum
    Great channel for programming. Thanks a lot of.
    I want to you how you setup your raspberry pi. Plzzz tell me???

  • @ekaf3544
    @ekaf3544 Месяц назад

  • @alexbennion9087
    @alexbennion9087 3 года назад

    Thanks, "babes"!

  • @akashagarwal6390
    @akashagarwal6390 11 месяцев назад

    1. is 8080 an ephemeral port from server's side/PoV?
    2. Also, does it make the diff between an app server running on 8080 while the web server exposed on 80?
    3. is this port redirect the same as port forwarding?

  • @mnj1
    @mnj1 3 года назад

    Hi. In the last example, I wonder, would it also work if you defined both rules in the PREROUTING chain (or both in the POSTROUTING chain)? Why (not?)?

  • @akashagarwal6390
    @akashagarwal6390 11 месяцев назад

    why do we need this exactly? what are its actual use cases in real-world as compared to delegating a request explicitly by some server to another?

  • @bayliner4387
    @bayliner4387 3 года назад

    this is a great help however I'm still quite confused. I'm trying to get my RPi to RPi WireGuard tunnel to allow Access Point traffic on the Client RPi to pass to the internet on the RPi server. Is this possible? I'm assuming I only need to modify the RPi Client ipTables? The Rpi AP Clients are on 10.10.10.X and the WireGuard tunnel is 10.6.0.2 (Client) to10.6.0.1 (server).

  • @emmanuell89
    @emmanuell89 2 года назад

    you're funny, thanks for the explanation

  • @CharlieArehart1
    @CharlieArehart1 3 года назад

    More great stuff as always, Hussein, and thanks. But I had a couple of observations/questions for you and that may help other viewers considering all this.
    First, you mention the need to enable ip forwarding, as it's off by default in Linux (at 21:25) . I'm a little surprised you didn't elaborate at least a bit (or offer a brief caution) on the possible implications of doing that. I'm new to the topic of iptables myself, so again thanks for the great intro, but I've been burned by making such a change too innocently. :-)
    A quick poke around the web found a few cautions. I fear that some viewers may not be likely to consider that without your suggesting it. Given how your goal always is to educate and share words of advice, it just seemed a missed opportunity. Or do you think any concern is perhaps overstated?
    Second, while you understandably picked an http example to keep things simple, it seems that such a use case could be solved at a higher level by a reverse proxy (nginx, haproxy, varnish, etc.). But I don't think you mentioned that.
    Given the concern above, it seems worth at least a brief mention. Of course you've covered that topic well in the past, but you produce so much great content that most people can't track it all. :-) This would have seemed another one worth offering a pop up link to such a past video.
    All that said, as one who also likes to share knowledge myself, I realize it's a balancing act. Just trying to help.
    And I appreciate that this was just a part 1, introducing the wonders and power of iptables with your inimitable style. :-) Again I share these observations here for your viewers, and perhaps also for your consideration in future videos, assuming you'd not already planned to cover them. :-)

  • @jakke1975
    @jakke1975 2 года назад

    So if you have a rule for both tcp and udp (e.g. for a dns server as target), can you do that command in 1 line or do you have to create a separate rule for it?

  • @ConversationWay
    @ConversationWay 8 месяцев назад

    is it possible to have 'any' protocol ?

  • @pajeetsingh
    @pajeetsingh 7 месяцев назад

    iptables vs ip route? Do they serve same purpose? Why does changes made using ip route does not show up in iptables rules?

  • @fabwrld5773
    @fabwrld5773 2 года назад

    When their is a reply from 192.168.1.3: 8080 to 10.0.0.2:1234, do we need to have another DNAT rule to send this packet to 192.168.1.2?

  • @codewithmubin8866
    @codewithmubin8866 3 года назад

    What is the equivalent tool of iptables in Windows?

  • @shubhamjain9433
    @shubhamjain9433 Год назад

    I am not getting ack packets when I redirect the port. Can anyone help?

  • @SuperMan-rw6iz
    @SuperMan-rw6iz Год назад

    why nginx if we can use something like this to achieve network control?

  • @ethangender
    @ethangender Год назад

    im trying to work on that and so far not reached the solution. i have this 2 networks 10.0.0.6 (public IP) 192.168.30.254 (private) I want to enable there iptables to port map the apache server that is located at 192.168.30.2 , everything I tried not working, connection refused :
    here is my chain:
    sudo iptables -t nat -A PREROUTING -d 10.0.0.6 -p tcp --dport 80 -j DNAT --to-destination 192.168.30.2:80
    sudo iptables -t nat -A POSTROUTING -j MASQUERADE
    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    sudo iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

  • @ahangk
    @ahangk 3 года назад

    Can you show us how to redirect port 443 to another port, Thanks.

  • @gentleling9404
    @gentleling9404 Год назад

    how to route from to IPv6 to ipv4

  • @kikandisafari4920
    @kikandisafari4920 3 года назад

    actually I think for the POSTROUTING it should have been --out-interface

  • @thoongchinglee4905
    @thoongchinglee4905 3 года назад

    So my question is iptables able to replace port forwarding, reverse proxy, and as a firewall rules if we do it right?

    • @DamjanDimitrioski
      @DamjanDimitrioski 3 года назад

      Same question, can we match HTTP path like /api1/ on inbound port 80/443 and redirect to some docker container on port N.

    • @ShamilSattarov
      @ShamilSattarov 3 года назад

      @@DamjanDimitrioski nope, guys, it's completely different levels of OSI. Iptables works with 2nd to 4th and http is 7th.

    • @thoongchinglee4905
      @thoongchinglee4905 3 года назад

      Sorry, I mix up the word reverse proxy. It shouldn't be there

    • @autohmae
      @autohmae 3 года назад

      @@DamjanDimitrioski their are some possible ways to do but it gets complicated and error prone to to let iptables look inside the packet and hopefully find the URL and it only works with HTTP not HTTPS. But the Linux kernel has some crazy capabilities if you know how to use it because you can also upload code into the Linux kernel with "eBPF"

    • @hnasr
      @hnasr  3 года назад

      As some said there are ways but very complicated and not a replacement for layer 7 proxying. But layer 4 proxying? perhaps

  • @theinthanhlan3582
    @theinthanhlan3582 2 года назад

    2021 ? I am learning in 2022😁

  • @alizia2186
    @alizia2186 3 года назад

    Brother can you recommend any books regarding Database Or Application Scale Out. I would be really grateful.😘

    • @aymanpatel5862
      @aymanpatel5862 3 года назад +2

      1. Designing Data Intensive Applications by Martin Klepmann
      2. Database Internals

    • @alizia2186
      @alizia2186 3 года назад

      @@aymanpatel5862 Thank you🙏

  • @thuongnguyennhu4312
    @thuongnguyennhu4312 3 года назад

    Can you share your presentation file on this video? thanks u so much

    • @hnasr
      @hnasr  2 года назад

      Sorry just saw the message! Here it is IPTables (Members slides)
      Slides payhip.com/b/VTsPG