#!/bin/bash
#
# rules_SNATon2nets.sh
#
# script to demonstrate Source Network Address Translation
#
# Copyright (C) 2016 Miroslav Rovis, 
#
# released under BSD license, see LICENSE, or assume general BSD license,
# meaning you can do basically anything with these scripts and data except
# claim that you wrote them/made them
#
# vars
ipt=/sbin/iptables

echo "\"read FAKE\" after each of these flushing so I can, among other things,"
echo "run: iptables -L -n -v, iptables -t nat -L -n -v, etc."
echo "at any step if I wish so... I'm still learning... And this should've"
echo "been a comment."
read FAKE

echo "cat /proc/sys/net/ipv4/ip_forward :"
cat /proc/sys/net/ipv4/ip_forward
echo "\"1\" must be printed, was it? if anybody is testing their NAT-ing"
echo "skills with a script like this. Anyway, a comment is here in the script."
# I'm having trouble with the Chinese idiotic ZTE ZXDSL no-public-IP,
# only-private-local-IP-for-you-in-your-machine-dear-subject modem/router.
# It just can't take SNAT'ing of any kind, and it doesn't say nothing why it
# don't work, and I was beginning to doubt I was doing something wrong, and
# that either some modules (actually builtins) I didn't compile or that I was
# the one who didn't do the SNAT'ing right... So this experiment proves that
# my kernel is fine and also I have got at least the basics of this tecnique
# right...
# Now you have all the prerequisites to read what Oskar Andreasson wrote
# about providers locking out their customers into privateland-IPs:
#
#
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NATCAVEATS
# ( the third caveat )
#
# And just imagine how poor Chinese are all locked out privateland-IPs in their
# own homes by their dear leaders, and some other counties' people are/will be
# as well. if the commies make it to export these gizmos like in my UDBA-ruled
# Croatia (UDBA is, for short explanation, the tiny NSA of Croatian and some
# other nations in these lands)...
# And if you're in Croatia, or understand Croatian, read (around) here:
#
#
http://forum.pcekspert.com/showthread.php?&t=252833&page=37#post2960029
#
read FAKE

echo " * flushing old rules"
$ipt -X
$ipt -F
read FAKE;

echo " * flushing the nat table"
$ipt -t nat -X
$ipt -t nat -F
read FAKE;

echo " * flushing the raw table"
$ipt -t raw -X
$ipt -t raw -F
read FAKE;

echo " * flushing the mangle table"
$ipt -t mangle -X
$ipt -t mangle -F
read FAKE;

# Experimenting, want to see what NAT looks like btwn two private networks

 						# networks :
 						# 192.168.2.0/24
 						# 192.168.3.0/24
 
 						# hosts :
 						# 192.168.2.2	g0n
 						# --- the host below is where SNAT'ing will happen:
 						# 192.168.2.5	gcn
 						# 192.168.3.5	gcn
 						# ---
 						# 192.168.3.2	g5n, with Apache server
 
 						# And now assigning variables, and some more details.

lan2_if="eth1"          # D-Link switch/hub, a 10+ ys old gigabit speed, 8-port
						# unmanaged, provides network:
						# 192.168.3.0/24
						# To that network gcn has access via interface...

lan2_ip="192.168.3.5"	# ...[via] this [interface]. That host
						# gcn
						# is on 192.168.3.0/24 network. But that host also has
						# access to the other private network 192.168.2.0/24
						# as explained above (and below). The only one on both.
						# I want to see if I can SNAT to 192.168.3.5
						# the connection from address 192.168.2.2, host
						# g0n
						# to be able to browse
 						# at the Apache server at
 						# host
 						# g5n
 						# at address 192.168.3.2
 						# via this
						# gcn
						# host which I build iptables with this script on, and
						# enable it by simply executing this script.

lan1_if="eth0" 			# interface to cca 10 ys old modem router Siemens SX763
						# with all other functionalities disabled (DHCP, DNS
						# etc.), to work as only switch/hub, and provides
						# network:
						# 192.168.2.0/24
						# Again, this script is executed, and the rules below
						# applied on host:
						# gcn
						# which has address:
						# 192.168.2.5 at eth0, 192.168.2.0/24 interface and
						# 192.168.3.5 at eth1, 192.168.3.0/24 interface 

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $lan2_if -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $lan1_if -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o $lan2_if -j SNAT --to-source $lan2_ip

# I'll disable iptables on g0n and g5n (as well as GRADM RBAC, the grsecurity
# hardening, both is fine as this is an offline test).
#
# Slowly another matter will be demo'd here, which is collateral to my quest
# to get ZXDSL do NAT'ing for me, and I'll mark with '---------' where this
# completely turns into a different topic. Some of the text below (and above)
# I wrote well after completing this demo, but the newer text is only in
# comments, which you can safely remove before using this script.
#
# All the three hosts are clones of each other, read over at Gentoo Forums what
# I mean:
#
# Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion
#
https://forums.gentoo.org/viewtopic-t-999436.html
# ( but go to PART 2 of that topic )
#
# And after I set these rules on gcn, I'll run on all three hosts my
# uncenz-only-dump.sh, which is included in this directory with other files,
# to get all the traces. I'll only run uncenz-1st script on the g0n host
# (see
https://github.com/miroR/uncenz
for that one), to also get the
# screencast as I access the not-on-the-same-network g5n host (remember
# g0n and g5n do not see each other's network, only gcn is on both) and also to
# get the SSL keys to show how to decrypt the conversations.
# I also dumped all "iptables -t {each-table} -L -n -v" which is necessary only
# for this gcn host (as the g0n and g5n have in all policies: ACCEPT, iptables
# having been disabled on them, for this experiment):
# rules_SNATon2nets-t_filter-L-n-v
# rules_SNATon2nets-t_mangle-L-n-v
# rules_SNATon2nets-t_nat-L-n-v
# rules_SNATon2nets-t_raw-L-n-v
# Just remember, the packet count does not comprise this short experiment
# only, I did more of them, and some NFS'ing and other stuff, except of course,
# I didn't go online with iptables and grsecurity RBAC disabled ;-).
#
# There's also these with the iproute2 various commands output:
# ip_setup_g0n
# ip_setup_g5n
# ip_setup_gcn
#
# and even the entire networking options, such as if you read what currently
# you have on:
#
#
https://wiki.gentoo.org/wiki/Home_Router
#
# you'll have to concur with me that my info is much more up to date ;-)
#
# And all this is now pretty complete information for anybody with enough
# spare/old hardware to set up two private networks and experiment with
# SNAT'ing like I did.
#
# Advanced folks and gurus, if you read here, pls. excuse these detailed
# instructions... I like to try and popularize this arcane knowledge ;-) ...
#
# So download, well best --if you're on some *nix machine; modify it for Windoze
# if you're on those-- [best] you download first just the dLo.sh script (after
# entering into an empty dir where you have all the perms):
#
# wget http://www.CroatiaFidelis.hr/foss/router/SNAT-demo/dLo.sh
#
# and then download all with:
#
# chmod 755 dLo.sh
# ./dLo.sh
#
# ---------- Below here, it is not about NAT'ing anymore. -------------
#
# So, pls. if you read here because of NAT'ing, since I really may need to, in
# the future, ask help on some places like lartc.org or stackoverflow (if I got
# the names right), you don't need to read on as far as the NAT'ing and
# routing, unless you find it interesting, of course... Thanks!
#
# Dear God, I almost forgot to give you the effemeral keys to the effemeral
# SSL locked-if-you-dont-have-those kingdom... This, of course, is a different
# matter altogether. And how to use those, pls. find at some of the Gentoo
# Forums topics that I wrote before I left there (only my nick "miroR" left,
# yet all of those had my signatures with Miroslav Rovis,
# www.CroatiaFidelis.hr in them; must be some mistake, Gentoo Forums wouldn't
# just breach Creative Commons license, would they?):
#
# SSL Decode & My Hard-Earned Advice for SPDY/HTTP2 in Firefox
#
https://forums.gentoo.org/viewtopic-t-1029408.html
#
# Script for extracting tcp/ssl streams with tshark
#
https://forums.gentoo.org/viewtopic-t-1033844.html
#
# and there are links plentiful from those to relevant places on the internet.
# And then, start Wireshark (or Tshark similarly) like this:
#
# wireshark -o "ssl.keylog_file: dump_160901_1313_g0n_SSLKEYLOGFILE.txt" <a-trace>
#
# where <a-trace> is one of the dump_160901*.pcap files. Interesting, didn't
# have it clear before, it's taken thanks to Mozilla's NSS, so via Firefox on
# only g0n, and it unlocks the SSL conversations anywhere where the connection
# went!
# (
# You could also extract all the streams there with my little program:
#
https://github.com/miroR/tshark-streams
# )
# I'll make this the README.html also, of this directory, which will show at:
#
http://www.CroatiaFidelis.hr/foss/router/SNAT-demo/README.html
# which is
# not SHA256 hashed (is after final reedit), as I had first needed to work online for that, but the
# content of README.html will likely be different than here only with links or
# notices.