iptables dnat to loopback

iptables dnat to loopback

[Damian Gatabria]

Hello listers.

I know this is probably not the proper place to ask 
a support question, but after a long googling
session and asking in my regular lists i was unable to 
get an answer for what i think is a rather tough situation..

So, flame me if you must, but here it is =oP

I have a rather busy server box hosting several web
sites in separate independent installation directories,
which means several apache, mysql and tomcat installations
running simultaneously, with each mysql instance binding
a port in the loopback interface.

Now, for a very specific reason, i need to provide someone
with remote access to one of these mysql instances. 

It would be a real hassle to change mysql's config
(and the webapps' working with it) so i just decided
to use DNAT to redirect incoming tcp connections 
to the loopback interface.... but for some reason you
hopefully already know about, it doesn't seem to work. 

So, while this iptables rule does work for port forwarding
to another host:

iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport \
        --dports mysql -j DNAT --to some.other.host

changing "some.other.host" to 127.0.0.1 doesn't work
as expected, and packets seem to be dropped altogether.
Using tcpdump i can see packets reaching eth0, but
never reaching loopback.

Is there any way to make iptables do what i'm looking
for? Any help will be greatly appreciated.

Thanks much.

-- 
Damian Gatabria <damian_g@speedy.com.ar>

Re: iptables dnat to loopback

[Klemen Kecman]

----- Original Message -----
From: "Damian Gatabria" <damian_g@speedy.com.ar>
To: "Lista Netfilter" <netfilter@lists.netfilter.org>
Sent: Friday, August 06, 2004 1:38 PM
Subject: iptables dnat to loopback


> Hello listers.
>
> I know this is probably not the proper place to ask
> a support question, but after a long googling
> session and asking in my regular lists i was unable to
> get an answer for what i think is a rather tough situation..
>
> So, flame me if you must, but here it is =oP
>
> I have a rather busy server box hosting several web
> sites in separate independent installation directories,
> which means several apache, mysql and tomcat installations
> running simultaneously, with each mysql instance binding
> a port in the loopback interface.
>
> Now, for a very specific reason, i need to provide someone
> with remote access to one of these mysql instances.
>
> It would be a real hassle to change mysql's config
> (and the webapps' working with it) so i just decided
> to use DNAT to redirect incoming tcp connections
> to the loopback interface.... but for some reason you
> hopefully already know about, it doesn't seem to work.
>
> So, while this iptables rule does work for port forwarding
> to another host:
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport \
>         --dports mysql -j DNAT --to some.other.host
>
> changing "some.other.host" to 127.0.0.1 doesn't work
> as expected, and packets seem to be dropped altogether.
> Using tcpdump i can see packets reaching eth0, but
> never reaching loopback.
>
> Is there any way to make iptables do what i'm looking
> for? Any help will be greatly appreciated.
>
> Thanks much.
>
> --
> Damian Gatabria <damian_g@speedy.com.ar>
>
>

Is your FORWARD chain set to DROP? Is so, do you have the rule in the
FORWARD chain that allows traffic from eth0 to localhost?

Example:
iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport \
        --dports mysql -j DNAT --to some.other.host
iptables -A FORWARD -p tcp -d some.other.host --dport some.port -j ACCEPT

Correct me if I'm wrong.

Greets,
Klemen Kecman

RE: iptables dnat to loopback

[Jason Opperisano]

> I have a rather busy server box hosting several web
> sites in separate independent installation directories,
> which means several apache, mysql and tomcat installations
> running simultaneously, with each mysql instance binding
> a port in the loopback interface.
>
> So, while this iptables rule does work for port forwarding
> to another host:
>
> iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport \
>         --dports mysql -j DNAT --to some.other.host
>
> changing "some.other.host" to 127.0.0.1 doesn't work
> as expected, and packets seem to be dropped altogether.
> Using tcpdump i can see packets reaching eth0, but
> never reaching loopback.

the target used for this is REDIRECT.  from "man iptables"

   REDIRECT
       This target is only valid in the nat table, in the PREROUTING and  OUT-
       PUT  chains,  and  user-defined chains which are only called from those
       chains.  It alters the destination IP address to send the packet to the
       machine  itself  (locally-generated packets are mapped to the 127.0.0.1
       address).  It takes one option:

       --to-ports port[-port]



HTH...

-j

RE: iptables dnat to loopback

[Jason Opperisano]

> Unfortunately, it does not seem to work either =(
> On the server itself i can `telnet 127.0.0.1 3306`
> and connect to the listening mysql process. But
> after adding this rule:
>
> iptables -A PREROUTING -t nat -p tcp -s (client address) --dport \
> 3306 -j REDIRECT --to-ports 3306
>
> I sit in the client box and `telnet (server ip address) 3306`
> and just get a "connection refused".
>
> Am i missing something? Is the rule ok? I have also tried
> removing the "--to-ports" option to leave the port unchanged,
> but the result is the same.

yes--my post was misleading.  REDIRECT does not precisely do what you want.  it rewrites the destination IP address of the packet to be the primary IP of the interface the packet is received on.  i just verfied this by poking through "/usr/src/linux/net/ipv4/netfilter/ipt_REDIRECT.c"--somewhere around line 85, you'll see: 

                /* Grab first address on interface. */
                newdst = indev->ifa_list->ifa_local;

which will not get the packet to 127.0.0.1.

however, after some further testing--your original DNAT *should* work--the problem is probably somewhere in your filter rules.  i just tested this with a machine that has sendmail bound only to 127.0.0.1:

# netstat -lnt | grep 25
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

#iptables -t nat -I PREROUTING -i eth0 -p tcp -d 172.30.30.2 --dport 25 -j DNAT --to 127.0.0.1:25

the log entry associated with the incoming, DNAT-ed packet may not look exactly as you suspect; however.  this is what popped into my logs upon a successful "telnet 172.30.30.2 25" (the packet is received in the INPUT chain, btw):

Aug  6 13:06:33 fw kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21041 DF PROTO=TCP SPT=35801 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0

note the inbound interface is "lo" and both the src and dst IP's are 127.0.0.1.  if you need to filter this kind of connection--make sure you specify a "-s x.x.x.x" in your DNAT rule.

sorry about my earlier post... hope *this* one helps...

-j

Re: iptables dnat to loopback

[David Cannings]

On Friday 06 August 2004 18:13, Jason Opperisano wrote:
> however, after some further testing--your original DNAT *should*
> work--the problem is probably somewhere in your filter rules.  i just
> tested this with a machine that has sendmail bound only to 127.0.0.1:
[..]
> note the inbound interface is "lo" and both the src and dst IP's are
> 127.0.0.1.  if you need to filter this kind of connection--make sure
> you specify a "-s x.x.x.x" in your DNAT rule.

Apologies if I am taking your mail seriously out of context, I missed the 
original mail.  In short, DNAT to 127/8 wont work unless both source and 
destination IPs are 127/8.  This is correct and is to do with the way the 
kernel filters "martians".

If you want to DNAT from an external interface to loopback, bind a private 
(RFC1918) address to loopback, then DNAT to that address.

For more, I posted the following a while back:

http://www.linuxarkivet.se/mlists/netfilter/0403/msg00770.html

The idea of binding an RFC1918 address to loopback to solve the issue was 
provided as a follow-up to that mail by somebody else.

David

RE: iptables dnat to loopback

[Damian Gatabria]

> >
> > iptables -A PREROUTING -t nat -p tcp -s (client address) --dport \
> > 3306 -j REDIRECT --to-ports 3306
> >
> > I sit in the client box and `telnet (server ip address) 3306`
> > and just get a "connection refused".
> >
> > Am i missing something? Is the rule ok? I have also tried
> > removing the "--to-ports" option to leave the port unchanged,
> > but the result is the same.
> 
> yes--my post was misleading.  REDIRECT does not precisely do what you want.  it rewrites the destination IP address of the packet to be the primary IP of the interface the packet is received on.  i just verfied this by poking through "/usr/src/linux/net/ipv4/netfilter/ipt_REDIRECT.c"--somewhere around line 85, you'll see: 
> 
>                 /* Grab first address on interface. */
>                 newdst = indev->ifa_list->ifa_local;
> 
> which will not get the packet to 127.0.0.1.
> 
> however, after some further testing--your original DNAT *should* work--the problem is probably somewhere in your filter rules.  i just tested this with a machine that has sendmail bound only to 127.0.0.1:
> 
> # netstat -lnt | grep 25
> tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
> 
> #iptables -t nat -I PREROUTING -i eth0 -p tcp -d 172.30.30.2 --dport 25 -j DNAT --to 127.0.0.1:25
> 
> the log entry associated with the incoming, DNAT-ed packet may not look exactly as you suspect; however.  this is what popped into my logs upon a successful "telnet 172.30.30.2 25" (the packet is received in the INPUT chain, btw):
> 
> Aug  6 13:06:33 fw kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21041 DF PROTO=TCP SPT=35801 DPT=25 WINDOW=32767 RES=0x00 SYN URGP=0
> 
> note the inbound interface is "lo" and both the src and dst IP's are 127.0.0.1.  if you need to filter this kind of connection--make sure you specify a "-s x.x.x.x" in your DNAT rule.
> 
> sorry about my earlier post... hope *this* one helps...
> -j



:o( no luck. 
I even tried -F ing INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING
before adding the rule, (all policies set to ACCEPT) and still no luck!

Forwarding is enabled, 

net.ipv4.conf.all.forwarding = 1
net.ipv4.ip_forward = 1

and still the packets are going nowhere... however giving 
the loopback an alias with an ip address of, say, 200.136.136.136
works... so why can't I route to 127.0.0.x? Is there anything
else I should check/add?

Thanks for your patience.




-- 
Damian Gatabria <damian_g@speedy.com.ar>

Re: iptables dnat to loopback

[David Cannings]

On Sunday 08 August 2004 07:17, Damian Gatabria wrote:
> :o( no luck.
> I even tried -F ing INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING
> before adding the rule, (all policies set to ACCEPT) and still no luck!
> Forwarding is enabled,
> net.ipv4.conf.all.forwarding = 1
> net.ipv4.ip_forward = 1
> and still the packets are going nowhere... however giving
> the loopback an alias with an ip address of, say, 200.136.136.136
> works... so why can't I route to 127.0.0.x? Is there anything
> else I should check/add?

You can't send packets from non 127/8 addresses to 127/8.  The kernel 
filters them out and drops them as it considers them "martians".

David

Re: iptables dnat to loopback

[Alistair Tonner]

On August 8, 2004 04:41 am, David Cannings wrote:
> On Sunday 08 August 2004 07:17, Damian atabria wrote:
> > :o( no luck.
> >
> > I even tried -F ing INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING
> > before adding the rule, (all policies set to ACCEPT) and still no luck!
> > Forwarding is enabled,
> > net.ipv4.conf.all.forwarding = 1
> > net.ipv4.ip_forward = 1
> > and still the packets are going nowhere... however giving
> > the loopback an alias with an ip address of, say, 200.136.136.136
> > works... so why can't I route to 127.0.0.x? Is there anything
> > else I should check/add?
>
> You can't send packets from non 127/8 addresses to 127/8.  The kernel
> filters them out and drops them as it considers them "martians".
>
> David

	Okay --- 
	   If I'm following this thread correctly then, 
	
	we need two rules to manage this ... both Destination and Source Natting 
these packets ... 
	My question is ..... 
	As I understand things DNAT is done in PREROUTING and SNAT is done in 
POSTROUTING .. 

	I can setup 
	
	iptables -I PREROUTING -t nat -p TCP -s 192.168.0.2 -d 10.1.105.45 --dport \ 
3306 -j DNAT --to 127.0.0.1
and (since nat postrouting FOLLOWS nat prerouting) 
	iptables -I POSTROUTING -t nat -p TCP -s 192.168.0.2 -d 127.0.0.1 --dport \ 
3306 -j SNAT --to 127.0.0.1

	But I don't belive that this will solve the above problem of the /drop 
martians/ behaviour.

	Any comments folks?

	Alistair Tonner

Re: iptables dnat to loopback

[Damian Gatabria]

El dom, 08-08-2004 a las 13:50 -0400, Alistair Tonner escribió:
> On August 8, 2004 04:41 am, David Cannings wrote:
> > On Sunday 08 August 2004 07:17, Damian atabria wrote:
> > > :o( no luck.
> > >
> > > I even tried -F ing INPUT, FORWARD, OUTPUT, PREROUTING and POSTROUTING
> > > before adding the rule, (all policies set to ACCEPT) and still no luck!
> > > Forwarding is enabled,
> > > net.ipv4.conf.all.forwarding = 1
> > > net.ipv4.ip_forward = 1
> > > and still the packets are going nowhere... however giving
> > > the loopback an alias with an ip address of, say, 200.136.136.136
> > > works... so why can't I route to 127.0.0.x? Is there anything
> > > else I should check/add?
> >
> > You can't send packets from non 127/8 addresses to 127/8.  The kernel
> > filters them out and drops them as it considers them "martians".
> >
> > David
> 
> 	Okay --- 
> 	   If I'm following this thread correctly then, 
> 	
> 	we need two rules to manage this ... both Destination and Source Natting 
> these packets ... 
> 	My question is ..... 
> 	As I understand things DNAT is done in PREROUTING and SNAT is done in 
> POSTROUTING .. 
> 
> 	I can setup 
> 	
> 	iptables -I PREROUTING -t nat -p TCP -s 192.168.0.2 -d 10.1.105.45 --dport \ 
> 3306 -j DNAT --to 127.0.0.1
> and (since nat postrouting FOLLOWS nat prerouting) 
> 	iptables -I POSTROUTING -t nat -p TCP -s 192.168.0.2 -d 127.0.0.1 --dport \ 
> 3306 -j SNAT --to 127.0.0.1
> 
> 	But I don't belive that this will solve the above problem of the /drop 
> martians/ behaviour.
> 
> 	Any comments folks?
> 
> 	Alistair Tonner

I'll try this when i get home, on my frankenstein box. I'll post
back later today.

Thank you all who replied.



-- 
Damian Gatabria <damian_g@speedy.com.ar>

Re: iptables dnat to loopback

[Damian Gatabria]

> > 	Okay --- 
> > 	   If I'm following this thread correctly then, 
> > 	
> > 	we need two rules to manage this ... both Destination and Source Natting 
> > these packets ... 
> > 	My question is ..... 
> > 	As I understand things DNAT is done in PREROUTING and SNAT is done in 
> > POSTROUTING .. 
> > 
> > 	I can setup 
> > 	
> > 	iptables -I PREROUTING -t nat -p TCP -s 192.168.0.2 -d 10.1.105.45 --dport \ 
> > 3306 -j DNAT --to 127.0.0.1
> > and (since nat postrouting FOLLOWS nat prerouting) 
> > 	iptables -I POSTROUTING -t nat -p TCP -s 192.168.0.2 -d 127.0.0.1 --dport \ 
> > 3306 -j SNAT --to 127.0.0.1
> > 
> > 	But I don't belive that this will solve the above problem of the /drop 
> > martians/ behaviour.
> > 
> > 	Any comments folks?
> > 
> > 	Alistair Tonner
> 
> I'll try this when i get home, on my frankenstein box. I'll post
> back later today.
> 
> Thank you all who replied.

Hmm.. well, it looks like David Cannings was right after all. The kernel
will not allow me to do this.. strange. I would have thought it should
be possible somehow... 

Thank you all very much. It was a very informative thread.


-- 
Damian Gatabria <damian_g@speedy.com.ar>