TCP redirect external to external host

TCP redirect external to external host

[Örjan Persson]

Hello,

I would like to redirect incoming traffic on host1:33 to host2:44!

Tried to find information about this for a day now but all I come up
with is the DNAT/SNAT solution. The problem with this is when the final
packet arrives at the host2 it thinks that host1 sends them. 

Is there a way to keep the senders IP?

Thanks in advance,
Örjan

Re: TCP redirect external to external host

[Antony Stone]

On Tuesday 09 December 2003 7:04 pm, Örjan Persson wrote:

> Hello,
>
> I would like to redirect incoming traffic on host1:33 to host2:44!
>
> Tried to find information about this for a day now but all I come up
> with is the DNAT/SNAT solution. The problem with this is when the final
> packet arrives at the host2 it thinks that host1 sends them.
>
> Is there a way to keep the senders IP?

If both the real source IP and the real destination IP exist on the same 
interface (directly, or some distance away) of the machine running netfilter, 
then no, you cannot translate the destination address without altering the 
source address as well.

The reason is simple:

If you translate only the destination address, then reply packets go direct 
from destination back to source without going back through the reverse nat, 
therefore the reply comes back from a different address (the real one) than 
the original request was sent to.

Only if you also translate the source address do the reply packets come back 
through netfilter, allowing the reverse translation to occur, keeping both 
ends of the link happy about what IP they're talking to.

If it is not true that the real source IP and the real destination IP exist on 
the same interface of the netfilter machine, repost your query with a bit 
more detail and we may be able to help futher.

Antony.

-- 
The difference between theory and practice is that in theory there is no 
difference, whereas in practice there is.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: TCP redirect external to external host

[Daniel Chemko]

As long as the host1 is the default route for host2, then you do not need the SNAT rule. Otherwise, you're SOL.

Maybe you could cook up something with BGP but I wouldn't have a clue on how that would work.


-----Original Message-----
From: Örjan Persson [mailto:orange@fobie.net] 
Sent: Tuesday, December 09, 2003 11:04 AM
To: netfilter@lists.netfilter.org
Subject: TCP redirect external to external host


Hello,

I would like to redirect incoming traffic on host1:33 to host2:44!

Tried to find information about this for a day now but all I come up with is the DNAT/SNAT solution. The problem with this is when the final packet arrives at the host2 it thinks that host1 sends them. 

Is there a way to keep the senders IP?

Thanks in advance,
Örjan

Re: TCP redirect external to external host

[Örjan Persson]

Alexis (..@..com) wrote:
> in fact if you do
> 
> iptables -t nat -A PREROUTING -d host1 -p tcp --dport 33 -j DNAT --to
> host2:44 it keeps the original sender ip.
> 
> if you want to change the sender ip to host1:33 you need to do this
> doing a POSTROUTING rule to do SNAT in this connection.
>
> I hope it helps
>
> please read
> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

Thanks for taking the time to answer!

Yes, I've read that manual a few times by now but I still doesn't really
understand what's going wrong. If I just use the rule you sent above, a
connection with telnet is just "hangning".

If I add the SNAT-rule it works, but the sender's IP will be altered to
host1 (the first server).

iptables -t nat -A PREROUTING -p tcp --dport 33 -i eth0 -j DNAT --to host2:44
iptables -t nat -A POSTROUTING -d host2 -p tcp --dport 25 -j SNAT --to host1

Why I want this is because I'm moving one SMTP to another location. So
from the postfix logs I get this:
Dec  9 19:27:56 mail postfix/smtpd[20692]: connect from host1[x.x.x.x]

host1 shouldn't be there, the original sender should.

I'm clueless. :(

Re: TCP redirect external to external host

[Örjan Persson]

Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> 
> If it is not true that the real source IP and the real destination IP exist on 
> the same interface of the netfilter machine, repost your query with a bit 
> more detail and we may be able to help futher.
> 

The situation is that I have a hostname where there are both SMTP and
DNS services atm. The mail service is beeing migrated to another host,
and since I can't just change the IP for the hostname (would break DNS
services) I would like to have a temporary redirect to the new
mailservice for the SMTP-service, until the ppl using it has changed
their mail settings to use the new hostname.

So, I have two external host with two external IP's. They exists on the
same subnet too. Both uses the same gateway.

These are the rules I tried to use, which translates the users IP to the
first servers IP:
iptables -t nat -A PREROUTING -p tcp --dport 33 -i eth0 -j DNAT --to host2:44
iptables -t nat -A POSTROUTING -d host2 -p tcp --dport 25 -j SNAT --to host1

Hope that's enough information to get you into my problem!

Thanks for letting me take your time! :)

Re: TCP redirect external to external host

[Michael Gale]

hmmm.... what about ICMP redirect ?

I can not remember if the host you are redirecting to has to be on the same subnet as the client host :(

If so then it would not work.

Michael.

On Tue, 9 Dec 2003 20:40:19 +0100
Örjan Persson <orange@fobie.net> wrote:

> Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> > 
> > If it is not true that the real source IP and the real destination IP exist on 
> > the same interface of the netfilter machine, repost your query with a bit 
> > more detail and we may be able to help futher.
> > 
> 
> The situation is that I have a hostname where there are both SMTP and
> DNS services atm. The mail service is beeing migrated to another host,
> and since I can't just change the IP for the hostname (would break DNS
> services) I would like to have a temporary redirect to the new
> mailservice for the SMTP-service, until the ppl using it has changed
> their mail settings to use the new hostname.
> 
> So, I have two external host with two external IP's. They exists on the
> same subnet too. Both uses the same gateway.
> 
> These are the rules I tried to use, which translates the users IP to the
> first servers IP:
> iptables -t nat -A PREROUTING -p tcp --dport 33 -i eth0 -j DNAT --to host2:44
> iptables -t nat -A POSTROUTING -d host2 -p tcp --dport 25 -j SNAT --to host1
> 
> Hope that's enough information to get you into my problem!
> 
> Thanks for letting me take your time! :)
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: TCP redirect external to external host

[Antony Stone]

On Tuesday 09 December 2003 7:40 pm, Örjan Persson wrote:

> Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> > If it is not true that the real source IP and the real destination IP
> > exist on the same interface of the netfilter machine, repost your query
> > with a bit more detail and we may be able to help futher.
>
> The situation is that I have a hostname where there are both SMTP and
> DNS services atm. The mail service is beeing migrated to another host,
> and since I can't just change the IP for the hostname (would break DNS
> services) I would like to have a temporary redirect to the new
> mailservice for the SMTP-service, until the ppl using it has changed
> their mail settings to use the new hostname.
>
> So, I have two external host with two external IP's. They exists on the
> same subnet too. Both uses the same gateway.

i am afraid that in this situation you cannot achieve the solution you would 
like.   DNAT on its own will not work.   DNAT+SNAT will work, but you will 
see a constant source IP in your mail server logfiles.   Be happy that this 
is only a temporary arrangement.

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: TCP redirect external to external host

[Antony Stone]

On Tuesday 09 December 2003 7:49 pm, Michael Gale wrote:

> hmmm.... what about ICMP redirect ?
>
> I can not remember if the host you are redirecting to has to be on the same
> subnet as the client host :(

Unfortunately ICMP redirects would affect ALL connections coming in to the 
machine, SMTP, DNS, or anything else.

I do not think this is what Örjan wants to happen.

Antony.

> On Tue, 9 Dec 2003 20:40:19 +0100 Örjan Persson <orange@fobie.net> wrote:
>
> > Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> > > If it is not true that the real source IP and the real destination IP
> > > exist on the same interface of the netfilter machine, repost your query
> > > with a bit more detail and we may be able to help futher.
> >
> > The situation is that I have a hostname where there are both SMTP and
> > DNS services atm. The mail service is beeing migrated to another host,
> > and since I can't just change the IP for the hostname (would break DNS
> > services) I would like to have a temporary redirect to the new
> > mailservice for the SMTP-service, until the ppl using it has changed
> > their mail settings to use the new hostname.
> >
> > So, I have two external host with two external IP's. They exists on the
> > same subnet too. Both uses the same gateway.
> >
> > These are the rules I tried to use, which translates the users IP to the
> > first servers IP:
> > iptables -t nat -A PREROUTING -p tcp --dport 33 -i eth0 -j DNAT --to
> > host2:44 iptables -t nat -A POSTROUTING -d host2 -p tcp --dport 25 -j
> > SNAT --to host1
> >
> > Hope that's enough information to get you into my problem!
> >
> > Thanks for letting me take your time! :)

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: TCP redirect external to external host

[Örjan Persson]

Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> On Tuesday 09 December 2003 7:40 pm, Örjan Persson wrote:
> 
> i am afraid that in this situation you cannot achieve the solution you would 
> like.   DNAT on its own will not work.   DNAT+SNAT will work, but you will 
> see a constant source IP in your mail server logfiles.   Be happy that this 
> is only a temporary arrangement.
> 

Okey, thanks for pointing that out. The problem with such a solution is
that it would make the whole internet be able to send e-mail with the
new SMTP-server, if I don't disallow relay for that IP.

Oh well, I guess I will need to inform everyone about an hostname change
instead then. POP3 is easier since the IP doesn't matter much there.

Cheers

Re: TCP redirect external to external host

[Michael Gale]

But could you now setup a IPTABLE rule that say:

iptables -t nat -A PREROUTING -p tcp --dport 25 -j ....

I would have to double check the reject target options to see if icmp redirects are part of them.

Michael.


On Tue, 9 Dec 2003 19:56:40 +0000
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Tuesday 09 December 2003 7:49 pm, Michael Gale wrote:
> 
> > hmmm.... what about ICMP redirect ?
> >
> > I can not remember if the host you are redirecting to has to be on the same
> > subnet as the client host :(
> 
> Unfortunately ICMP redirects would affect ALL connections coming in to the 
> machine, SMTP, DNS, or anything else.
> 
> I do not think this is what Örjan wants to happen.
> 
> Antony.
> 
> > On Tue, 9 Dec 2003 20:40:19 +0100 Örjan Persson <orange@fobie.net> wrote:
> >
> > > Antony Stone (Antony@Soft-Solutions.co.uk) wrote:
> > > > If it is not true that the real source IP and the real destination IP
> > > > exist on the same interface of the netfilter machine, repost your query
> > > > with a bit more detail and we may be able to help futher.
> > >
> > > The situation is that I have a hostname where there are both SMTP and
> > > DNS services atm. The mail service is beeing migrated to another host,
> > > and since I can't just change the IP for the hostname (would break DNS
> > > services) I would like to have a temporary redirect to the new
> > > mailservice for the SMTP-service, until the ppl using it has changed
> > > their mail settings to use the new hostname.
> > >
> > > So, I have two external host with two external IP's. They exists on the
> > > same subnet too. Both uses the same gateway.
> > >
> > > These are the rules I tried to use, which translates the users IP to the
> > > first servers IP:
> > > iptables -t nat -A PREROUTING -p tcp --dport 33 -i eth0 -j DNAT --to
> > > host2:44 iptables -t nat -A POSTROUTING -d host2 -p tcp --dport 25 -j
> > > SNAT --to host1
> > >
> > > Hope that's enough information to get you into my problem!
> > >
> > > Thanks for letting me take your time! :)
> 
> -- 
> It is also possible that putting the birds in a laboratory setting 
> inadvertently renders them relatively incompetent.
> 
>  - Daniel C Dennet
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation