bastion-config

#!/bin/bash
# The goal is to use a VPS (hostname: redbastion) to publicly offer a service (TCP 4444) but push that down over a
# Wireguard interface wg0 to another host that actually listens on port 4444. The end goal is to DNAT ALL ports/protocols
# but just using port 4444 now for PoC.
# The config below works but with one major caveat. We must know the requester's IP in advance and put it in
# Wireguard's AllowedIPs. Being in AllowedIPs causes that IP to be routed over wg0 so the response goes over tun0
# rather than becoming a martian on eth0 (asymmetric route).
#
# The quickest fix is to add 0.0.0.0/0 to AllowedIPs on both sides but that would route ALL traffic through Wireguard
# and I don't want my internal host routing all traffic through the VPS redbastion. I only want responses to TCP 4444
# to go through wg0.
#
# A SNAT statement immediately fixes this but I would lose the true source IP and that is unacceptable in my use case.
# I think the fix is to use tagged routing (http://cedric.dufour.name/blah/IT/TaggedRouting.html). I haven't implemented this yet
# but am making notes so I'll know where to pick up.

# Definitions:
# redbastion (AWS VPS). eth0: 1.1.1.1 wg0: 10.200.100.20.redbastion is intended to simply pass-thru traffic.
# collector (on-prem server that will host the actual service). eth0: 2.2.2.2 wg0: 10.200.100.1


PRIVATE_SUBNET="10.200.100.0/24"
COLLECTOR_WIREGUARD_IFACE="10.200.100.1"
WIREGUARD_PORT="60719"

# clear previous mess
iptables -F
iptables -t nat -F
iptables -t mangle -F

# enable forwarding on interfaces
sysctl -w net.ipv4.ip_forward=1

# allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# TMP
iptables -A OUTPUT -o wg0 -j ACCEPT

# for now, allow outbound connections
iptables -A OUTPUT -o eth0 -j ACCEPT

# allow established connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# allow SSH administration from mgmt IPs and from collector wireguard internal ip 10.200.100.1
iptables -A INPUT -p tcp -s x.x.x.x.x/26 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# when i get locked out of redbastion allow ssh over the wg0 interface as a backup plan
iptables -A INPUT -p tcp -s 10.200.100.1 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow Wireguard connection from collector eth0
iptables -A INPUT -i eth0 -p udp -s x.x.x.x.x/32 --dport $WIREGUARD_PORT -j ACCEPT

# deal with forwards
#iptables -A FORWARD -m conntrack --ctstate NEW -s $PRIVATE_SUBNET -m policy --pol none --dir in -j ACCEPT
#iptables -t nat -A POSTROUTING -s $PRIVATE_SUBNET -m policy --pol none --dir out -j MASQUERADE


iptables -A FORWARD -i eth0 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wg0 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j LOG --log-prefix "iptables DNAT hit: " --log-level 4
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination $COLLECTOR_WIREGUARD_IFACE:4444
iptables -A FORWARD -i eth0 -o wg0 -p tcp -d 10.200.100.1 --dport 4444 -m state --state NEW,ESTABLISHED,RELATED -j LOG --log-prefix "iptables ALLOWING FORWARD 4444: " --log-level 4
iptables -A FORWARD -i eth0 -o wg0 -p tcp -d 10.200.100.1 --dport 4444 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

### IT WORKS WITH THIS STATEMENT BUT CAUSES THE SRC IP TO BE LOST
# NEED 0.0.0.0 in wg AllowedIPs for this to work. it is HARD to troubleshoot!
#iptables -t nat -A POSTROUTING ! -s 127.0.0.1 -j MASQUERADE


iptables -A INPUT -i wg0 -j LOG --log-prefix "IPTables-Allowed input on wg0: " --log-level 4 -m limit --limit 1000/min
iptables -A INPUT -i wg0 -j ACCEPT

# log dropped pkts
iptables -A INPUT -j LOG  --log-prefix "IPTables-DROP: " --log-level 4 -m limit --limit 1000/min
iptables -A INPUT -j DROP