port redirection *without* NAT

port redirection *without* NAT

[Steve Benson]

I'm trying to figure out how (if possible) to do port redirection with
iptables on my linux router. This router is is not doing NAT, all connected
networks have real, public IP addresses. There is tons of information out
there about doing port redirection with NAT, but I can't find anything for
without NAT. I just want to make the router take traffic destined for
address A port x and change the destination address to send it off to
address B port x instead. A and B are on the same (directly attached
ethernet) network. I looked into the DNAT and REDIRECT targets, but those
only seem to work in the nat table.

Thanks

port redirection *without* nat

[sm]

 
I'm trying to figure out how (if possible) to do port redirection with
iptables on my linux router. This router is is not doing NAT, all connected
networks have real, public IP addresses. There is tons of information out
there about doing port redirection with NAT, but I can't find anything for
without NAT. I just want to make the router take traffic destined for
address A port x and change the destination address to send it off to
address B port x instead. A and B are on the same (directly attached
ethernet) network. I looked into the DNAT and REDIRECT targets, but those
only seem to work in the nat table.

Thanks

Re: port redirection *without* nat

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1604 bytes --]

On Mon, Jan 06, 2003 at 02:17:53PM -0500, sm@rhythm.cx wrote:
> I'm trying to figure out how (if possible) to do port redirection with
> iptables on my linux router. This router is is not doing NAT, all connected
> networks have real, public IP addresses. There is tons of information out
> there about doing port redirection with NAT, but I can't find anything for
> without NAT. I just want to make the router take traffic destined for
> address A port x and change the destination address to send it off to
> address B port x instead. A and B are on the same (directly attached
> ethernet) network. I looked into the DNAT and REDIRECT targets, but those
> only seem to work in the nat table.

   Um, think about it.   You DO want 'NAT' of some sort for this.

Connection comes in from 1.2.3.4:1234 destined to A:x.  You want this to
be handled by B:x.  So you use a DNAT or REDIRECT to re-write the
destination, good, now have the connection ultimately ending up at B:x.
But as far as 1.2.3.4:1234 is concerned it IS talking to A:x, so the
return packets MUST be rewritten to come back from A:x, which is what
DNAT will do.
  If you want B:x to completely handle the connection then you need the
clients to be just connecting to it directly in the first place, with
requisite INPUT/FORWARD rules setup to allow this.

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: port redirection *without* nat

[Joel Newkirk]

On Monday 06 January 2003 02:17 pm, sm@rhythm.cx wrote:
> I'm trying to figure out how (if possible) to do port redirection with
> iptables on my linux router. This router is is not doing NAT, all
> connected networks have real, public IP addresses. There is tons of
> information out there about doing port redirection with NAT, but I
> can't find anything for without NAT. I just want to make the router
> take traffic destined for address A port x and change the destination
> address to send it off to address B port x instead. A and B are on the
> same (directly attached ethernet) network. I looked into the DNAT and
> REDIRECT targets, but those only seem to work in the nat table.

What you say you are trying to do IS DNAT.  A packet reaches the machine 
addressed to one destination, but you want to send it to another address 
instead, changing the Destination IP.  Destination NAT.  And yes, such 
targets only work in the nat table's chains, and for DNAT you want to 
use the PREROUTING chain.  The REDIRECT target is for picking traffic 
out of the stream that would normally be forwarded and DNATting it to 
readdress it to the local box as INPUT instead.  

The most frequently mentioned use of DNAT is for packets addressed to an 
IP of the box itself, but this isn't necessary.  DNAT is simply changing 
the destination IP, regardless of what it originally was. 

j

Re: port redirection *without* NAT

[Athan]

[-- Attachment #1: Type: text/plain, Size: 1740 bytes --]

On Mon, Jan 06, 2003 at 02:12:42PM -0500, Steve Benson wrote:
> I'm trying to figure out how (if possible) to do port redirection with
> iptables on my linux router. This router is is not doing NAT, all connected
> networks have real, public IP addresses. There is tons of information out
> there about doing port redirection with NAT, but I can't find anything for
> without NAT. I just want to make the router take traffic destined for
> address A port x and change the destination address to send it off to
> address B port x instead. A and B are on the same (directly attached
> ethernet) network. I looked into the DNAT and REDIRECT targets, but those
> only seem to work in the nat table.

   Didn't you already ask this and myself and someone else replied with
"yes you want DNAT".

   Client C, router A, server B.

	C:x -> A:y
	DNAT port y -> B:z
	A passes through C:x -> B:z, and remembers this
	B replies from port z to C:x
	A Sees this, remembers and changes it back to A:y -> C:x
	voila, working two way TCP connection.

The other way, given you have all public IPs, is to forget  rewriting,
if you want the packets to be served by B:z then just damned well tell
clients to connect there in the first place, then A just forwards
packets backwards and forwards without changing anything.

   C <---> Internet <---> eth0 A eth1 <----> B

On A:

	iptables -A FORWARD -i eth0 -d B -j ACCEPT
	iptables -A FORWARD -i eth1 -s B -j ACCEPT

-Ath
-- 
- Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/
                  Finger athan(at)fysh.org for PGP key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

[-- Attachment #2: Type: application/pgp-signature, Size: 240 bytes --]

Re: port redirection *without* NAT

[sm]

On Tue, Jan 07, 2003 at 10:08:00PM +0000, Athan wrote:
>
>    Didn't you already ask this and myself and someone else replied with
> "yes you want DNAT".
> 

Yes. This was a duplicate message, sorry. I sent it to the list from the
wrong address by mistake, and was informed it got put into a queue for the
moderator to look at. I asked for it to be disregarded and then I posted
again from the correct address, but I guess the original got passed to the
list anyway. (oops, there goes my spam-free address into the archives :/).

I understand now that was I am describing is in fact NAT, it just didn't hit
me at the time (duh). Sorry for the dupe, thanks for the help (Joel Newkirk
too). Issue resolved.