iptables troubles: preparing for access point

[u-995]

Hi guys,

I know there are other threads concerning this issue, but all setups & configurations differ. I think & i've been at it too long :s

This is the setup:

I have a public IP. Behind that IP there is NAT ( ISP router on 192.168.0.1/24) with my windows host machine (192.168.0.2/24), my Kali VM in bridged mode (eth0 192.168.0.100/24)
In this Kali machine i have a second interface, connected to a virtual box internal network (eth1 192.168.2.1/24).
On eth1 I have isc-dhcp-server handing out ip's (this works perfect).
On the virtual box internal network i also have a virtual XP-machine (192.168.2.54/24) ... which gets an ip from isc ...

From withing the XP machine i can ping & tracert 8.8.8.8, but i can't browse the internet in a browser. When i type in the IP of a website it changes the ip to the domain name,but cannot display it.

How can I get the XP to have normal internet access? (if this works, i can move from eth1 to at0 to have a wiress access point ...)

Code:

root@kali:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:88:b2:cf  
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe88:b2cf/64 Scope:Link
          inet6 addr: 2a02:1812:1005:5500:a00:27ff:fe88:b2cf/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1564 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:187843 (183.4 KiB)  TX bytes:11464 (11.1 KiB)

eth1      Link encap:Ethernet  HWaddr 08:00:27:e4:7e:30  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fee4:7e30/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1205 errors:0 dropped:0 overruns:0 frame:0
          TX packets:485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:108379 (105.8 KiB)  TX bytes:66723 (65.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:86274 errors:0 dropped:0 overruns:0 frame:0
          TX packets:86274 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:14511953 (13.8 MiB)  TX bytes:14511953 (13.8 MiB)

Code:

root@kali:~# cat /etc/dhcp/dhcpd.conf
ddns-update-style none;
default-lease-time 6000;
max-lease-time 7200;
authoritative;
subnet 192.168.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option routers 192.168.2.1;
option domain-name-servers 8.8.8.8;
range 192.168.2.51 192.168.2.100;
}

I think, i am pretty sure the problem is within the iptables setup ... i have tried a lot of things, but none works, and now a certain saturation point of utterly frustration has reached a maximum.

Code:

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.2.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

THANKS GUYS !!!

PS: Why do i need nat? I'm already on a nat network (NAT happens from public ip to 192.168.0.0 ? )

[krypt3dkn1gh7]

In your iptables, that last line is whats killing your connection. Do all those again, and youll have a connection

[rastamouse]

I assume that rule is in there to use a tool use as sslstrip? Do you have that running whilst you are testing your XP connection? Applications such as that are capable of forwarding the traffic on.

[u-995]

Hi, thanks very much, but from my XP machine, i can ping 8.8.8.8, but i can't ping a domainname ...

I have a feeling some protocols are not permitted...

@rastamouse: i don't have anything like that running... but yeah, why the heck would i want to redirect to port 10.000...

[rastamouse]

Well sslstrip listens on port 10000 by default, hence my assumption. If you're not running anything on port 10000, my next assumption would be that you lifted the iptables instructions from another source and they're not quite fit for your purpose. The suggestion made by krypt3dkn1gh7 will most likely fix your problem.

[u-995]

@rasta, i left it out, but it doesn't fix the problem. I can ping 8.8.8.8 , but i can't browse the internet on that XP.