OSCP Journey : Using Linux Box as a Router

I - Introduction :

When setting up a network, it’s often necessary to route traffic between different subnets or interfaces. One common scenario is adding a route for a specific subnet and configuring the necessary firewall rules to ensure proper packet forwarding and address translation. This guide will walk you through the process of adding a route, enabling IP forwarding, and configuring iptables rules to facilitate seamless communication between network interfaces. We will cover the details of each command used, explaining their purpose and how they contribute to the overall network configuration.

II - On Windows Machine :

Our first step is to add the route to our windows route table , and to do so we need use this cmd : (Run cmd as administrator)

route add 10.10.10.0 mask 255.255.255.0 <router ip>
########################### Explanation ###########################
10.10.10.0 : the IP that I want to be able to ping 
mask 255.255.255.0 : the mask of the ip , here it is /24
<router ip> : this will behave as a gateway so whenever we attempt to go to any ip in the of 10.10.10.0/24
we will use the router ip as a gateway

III - On Linux Machine

1. Enable Ip_forwarding :

    sudo su
    echo 1 > /etc/sys/net/ipv4/ip_forward
   

2. Creating Ip_Tables rules :

    iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    ########################### Explanation ###########################
    . 'iptables:' The command-line utility for configuring the Linux kernel firewall.
    . '-A FORWARD:' Appends a rule to the FORWARD chain. This chain handles packets that are routed through the machine (i.e., not destined for the machine itself but for another network).
    . '-i tun0:' Specifies the input interface (tun0). Packets coming into the machine on this interface are considered.
    . '-o eth0:' Specifies the output interface (eth0). Packets going out of the machine on this interface are considered.
    . '-m state:' Uses the state module, which allows matching packets based on their connection state.
    . '--state ESTABLISHED,RELATED:' Matches packets that are part of an established connection or related to an established connection.
    . '-j ACCEPT:' Jumps to the ACCEPT target, which allows the packet to pass through.
   

   In summary: This rule allows packets that are part of an already established connection or related to one, to be forwarded from tun0 to eth0.

    iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
    ########################### Explanation ###########################
    . 'iptables: ' The command-line utility for configuring the Linux kernel firewall.
    . '-A FORWARD: ' Appends a rule to the FORWARD chain.
    . '-i eth0: ' Specifies the input interface (eth0). Packets coming into the machine on this interface are considered.
    . '-o tun0: ' Specifies the output interface (tun0). Packets going out of the machine on this interface are considered.
    . '-j ACCEPT: ' Jumps to the ACCEPT target, which allows the packet to pass through.
   

   In summary: This rule allows all packets to be forwarded from eth0 to tun0.

   Combined Effect:

   Together, these rules facilitate the forwarding of packets between the tun0 and eth0 interfaces:

   1. First Rule: Ensures that packets from tun0 to eth0 that are part of an established or related connection are accepted.

   2. Second Rule: Allows all packets from eth0 to tun0 to be forwarded.

3. Creating a NAT Rule :

   this NAT rule will rewrite the ipo address to that ip addresse connected to the VM .

    iptables -t NAT -A Postrouting -s 192.168.1.0/24 -o tun0 -j MASQUERADE
    ########################### Explanation ###########################
    . 'iptables: ' The command-line utility for configuring the Linux kernel firewall.
    . '-t NAT: ' Specifies the NAT table. This table is used for Network Address Translation, which is a way to modify network address information in packet headers while in transit.
    . '-A POSTROUTING: ' Appends a rule to the POSTROUTING chain. The POSTROUTING chain is used to alter packets as they are about to leave the network interface.
    . '-s 192.168.1.0/24: ' Specifies the source address range. This matches packets originating from the 192.168.1.0/24 subnet (a common private IP address range).
    . '-o tun0: ' Specifies the output interface. This matches packets that are going out through the tun0 interface (commonly a VPN interface).
    . '-j MASQUERADE: ' Jumps to the MASQUERADE target. This tells iptables to perform source network address translation (SNAT) on the packets. MASQUERADE is typically used when the external IP address is dynamic (e.g., on a home broadband connection).
   

   In summary:

   This rule modifies the source address of packets originating from the 192.168.1.0/24 subnet as they are about to be sent out through the tun0 interface. The source address will be replaced with the IP address of the tun0 interface. This process is known as masquerading, which is a type of SNAT.

IV - Conclusion :

By following the steps outlined in this guide, you can successfully route traffic to a specific subnet and ensure proper packet forwarding between your network interfaces. The route add command enables you to define routes for specific IP ranges, while enabling IP forwarding allows your Linux machine to act as a router. The iptables rules facilitate the forwarding of packets and handle Network Address Translation (NAT), ensuring that packets are correctly routed and source addresses are properly translated. This setup is particularly useful in scenarios involving VPNs or complex network configurations where traffic needs to traverse multiple interfaces securely and efficiently. With these configurations in place, your network will be better equipped to handle diverse routing and forwarding requirements.