Redirecting ports on localhost

Redirecting ports on localhost

[Fabiano Bonin]

I followed a thread about redirecting ports on localhost, but i still 
did not have success in my case.
I have a service listening on port 5050, just on the local interface, as 
shown below:

netstat -n -a -p | grep 5050
tcp        0      0 127.0.0.1:5050          0.0.0.0:*               
LISTEN      7485/0

I need to access this service from other hosts through ETH0 interface 
(ip 192.168.0.254). The other hosts are in the same network.
I already enabled "NF_NAT_LOCAL" kernel option (btw, all netfilter 
options are enabled in my kernel), and the commands i'm using are these:

iptables -F
iptables -F -t nat
iptables -A OUTPUT -t nat -p tcp -o lo -d 192.168.0.254 --dport 5050 -j 
REDIRECT --to-ports 5050
echo "1" > /proc/sys/net/ipv4/ip_forward

After these commands, i can access the service on the eth0 interface 
from the server host itself, but not from other hosts in the same network.

What am i doing wrong?

Thanks.

Re: Redirecting ports on localhost

[David Cannings]

On Tuesday 30 March 2004 13:46, Fabiano Bonin wrote:
> I need to access this service from other hosts through ETH0 interface
> (ip 192.168.0.254). The other hosts are in the same network.
> I already enabled "NF_NAT_LOCAL" kernel option (btw, all netfilter
> options are enabled in my kernel), and the commands i'm using are
> these:

NF_NAT_LOCAL is for NAT'ing connections that originate on the local 
machine (ie the netfilter machine).  I don't believe it will do what you 
want though I may be incorrect.

> iptables -F
> iptables -F -t nat
> iptables -A OUTPUT -t nat -p tcp -o lo -d 192.168.0.254 --dport 5050 -j
> REDIRECT --to-ports 5050
> echo "1" > /proc/sys/net/ipv4/ip_forward

I don't think you need anything special to do this however your rule says 
"any packets going out on loopback to 192.168.0.254".  The only machine 
on your network that would send packets to 192.168.0.254 on loopback is 
the machine with that IP itself.

Can you not make that daemon listen on an interface IP as well as 
127.0.0.1?  This way other hosts could connect to 192.168.0.254:5050.  
Other hosts that try to access port 5050 on your machine will simply come 
through the INPUT chain, no NAT needed.  If you can't, or don't want to 
for good reason, I am sure it would be possible with DNAT. 

Perhaps I misunderstand what you are trying to accomplish, apologies if 
so.

David

Re: Redirecting ports on localhost

[Fabiano Bonin]

 > On Tuesday 30 March 2004 13:46, Fabiano Bonin wrote:

>> I need to access this service from other hosts through ETH0 interface
>> (ip 192.168.0.254). The other hosts are in the same network.
>> I already enabled "NF_NAT_LOCAL" kernel option (btw, all netfilter
>> options are enabled in my kernel), and the commands i'm using are
>> these:
>  
>
> NF_NAT_LOCAL is for NAT'ing connections that originate on the local 
> machine (ie the netfilter machine).  I don't believe it will do what you 
> want though I may be incorrect.

>> iptables -F
>> iptables -F -t nat
>> iptables -A OUTPUT -t nat -p tcp -o lo -d 192.168.0.254 --dport 5050 -j
>> REDIRECT --to-ports 5050
>> echo "1" > /proc/sys/net/ipv4/ip_forward
>  
>

> I don't think you need anything special to do this however your rule says 
> "any packets going out on loopback to 192.168.0.254".  The only machine 
> on your network that would send packets to 192.168.0.254 on loopback is 
> the machine with that IP itself.

> Can you not make that daemon listen on an interface IP as well as 
> 127.0.0.1?  This way other hosts could connect to 192.168.0.254:5050.  
> Other hosts that try to access port 5050 on your machine will simply come 
> through the INPUT chain, no NAT needed.  If you can't, or don't want to 
> for good reason, I am sure it would be possible with DNAT. 

This daemon is a SSH tunnel to a remote machine. I couldn't enable interfaces other than lo to listen on that port, even enabling the option 'remote ports accept connections from other hosts' in the client program (putty). I'm almos sure this is a SSH protocol limitation due to security reasons, so probably my only choice is through iptables.

> Perhaps I misunderstand what you are trying to accomplish, apologies if 
> so.

Most probably you understood what i am trying to do, and the way i'm trying (as shown in the examples) is entirelly wrong. I used iptables few times before and i'm not skilled with it.

Maybe you can show the command needed to my case (i.e., using DNAT as you told above). Sorry if i'm asking too much...
I just need the hosts on my local network can access this port through server's eth0.

Thanks again.

> David

Re: Redirecting ports on localhost

[David Cannings]

On Tuesday 30 March 2004 15:15, Fabiano Bonin wrote:
>  > On Tuesday 30 March 2004 13:46, Fabiano Bonin wrote:
> >> iptables -F
> >> iptables -F -t nat
> >> iptables -A OUTPUT -t nat -p tcp -o lo -d 192.168.0.254 --dport 5050
> >> -j REDIRECT --to-ports 5050
> >> echo "1" > /proc/sys/net/ipv4/ip_forward
> > I don't think you need anything special to do this however your rule
> > says "any packets going out on loopback to 192.168.0.254".  The only
> > machine on your network that would send packets to 192.168.0.254 on
> > loopback is the machine with that IP itself.
> > Perhaps I misunderstand what you are trying to accomplish, apologies
> > if so.
>
> Most probably you understood what i am trying to do, and the way i'm
> trying (as shown in the examples) is entirelly wrong. I used iptables
> few times before and i'm not skilled with it.
>
> Maybe you can show the command needed to my case (i.e., using DNAT as
> you told above). Sorry if i'm asking too much... I just need the hosts
> on my local network can access this port through server's eth0.

http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2

I've linked to the English HTML version of the HOWTO, other languages and 
formats are available at:

http://netfilter.org/documentation/index.html#documentation-howto

Have a read, see if you can make some sense of it.  If not, post back with 
what you've tried and why it doesn't work.  For the record, I've never 
tried redirecting a port to localhost although I can see no reason why it 
would not work as any other does.  I will have to give it a go myself 
when I have a few minutes spare.

Hope that helps,

David

Re: Redirecting ports on localhost

[Tony Earnshaw]

tir, 30.03.2004 kl. 21.13 skrev David Cannings:

> I've linked to the English HTML version of the HOWTO, other languages and 
> formats are available at:
> 
> http://netfilter.org/documentation/index.html#documentation-howto
> 
> Have a read, see if you can make some sense of it.  If not, post back with 
> what you've tried and why it doesn't work.  For the record, I've never 
> tried redirecting a port to localhost although I can see no reason why it 
> would not work as any other does.  I will have to give it a go myself 
> when I have a few minutes spare.

Hi David,

Dunno if you're the one responsible for the general Netfilter HOWTO. But
if so, could you please change "iplimit" to "connlimit"? I've used vi to
great effect after txt2html for my own copy, but I frigged around with
iplimit for a while with the non-existent iplimit first. I was *not*
pleased.

B.t.w., connlimit works a treat :)

Best,

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Re: Redirecting ports on localhost

[David Cannings]

On Tuesday 30 March 2004 23:03, Tony Earnshaw wrote:
> tir, 30.03.2004 kl. 21.13 skrev David Cannings:
> > I've linked to the English HTML version of the HOWTO, other languages
> > and formats are available at:
> >
> > http://netfilter.org/documentation/index.html#documentation-howto
> >
> > Have a read, see if you can make some sense of it.  If not, post back
> > with what you've tried and why it doesn't work.  For the record, I've
> > never tried redirecting a port to localhost although I can see no
> > reason why it would not work as any other does.  I will have to give
> > it a go myself when I have a few minutes spare.
> Hi David,
> Dunno if you're the one responsible for the general Netfilter HOWTO.
> But if so, could you please change "iplimit" to "connlimit"? I've used
> vi to great effect after txt2html for my own copy, but I frigged around
> with iplimit for a while with the non-existent iplimit first. I was
> *not* pleased.

Definitely not, the only way I contribute to netfilter is helping out on 
the users mailing list.  I am unsure whether the source to the HOWTO 
documents is available, perhaps you could submit diff's for what you 
believe needs changing.

David

Re: Redirecting ports on localhost

[David Cannings]

On Tuesday 30 March 2004 20:13, David Cannings wrote:
> On Tuesday 30 March 2004 15:15, Fabiano Bonin wrote:
> >  > On Tuesday 30 March 2004 13:46, Fabiano Bonin wrote:
> > Maybe you can show the command needed to my case (i.e., using DNAT as
> > you told above). Sorry if i'm asking too much... I just need the
> > hosts on my local network can access this port through server's eth0.
>
> http://netfilter.org/documentation/HOWTO//NAT-HOWTO-6.html#ss6.2
>
> I've linked to the English HTML version of the HOWTO, other languages
> and formats are available at:
>
> http://netfilter.org/documentation/index.html#documentation-howto
>
> Have a read, see if you can make some sense of it.  If not, post back
> with what you've tried and why it doesn't work.  For the record, I've
> never tried redirecting a port to localhost although I can see no
> reason why it would not work as any other does.  I will have to give it
> a go myself when I have a few minutes spare.

As a followup I have found some time to play with this now.  Spending a 
few minutes on Google turned up a wealth of information regarding this 
problem.  One of the most useful posts was this one:

http://lists.netfilter.org/pipermail/netfilter/2002-November/040104.html

In short: by the looks of it you cannot DNAT to localhost as the kernel 
thinks that it is a martian packet.  As this is a rather old message I 
decided to investigate it myself.

I added a rule to the prerouting chain to DNAT port 3001 (a number I 
picked totally randomly) to 127.0.0.1:3000, this appears to work as far 
as netfilter is concerned, proof follows.  Note the key part of the last 
sentence: "as far as netfilter is concerned".

The following method works as expected in all aspects when the --to 
argument for DNAT is a local interface.  As this is what is expected I 
will not copy and paste proof.

Method:

Machine running netfilter is a 2.4.24 kernel which normally does 
masquerading for a network.  It is 192.168.0.100.

To test, I set netcat to listen on port 3000 on all interfaces in verbose 
mode.  I then used nmap from another machine on the network to scan the 
netfilter machine on port 3001 only.  A combination of netcat running on 
all interfaces and only bound to specific IPs (127.0.0.1, local interface 
IPs, etc) was used.

david@david david $ nmap -sT 192.168.0.100 -p 3001
(.. ouput snipped, port shown as closed ..)

gateway:~# nc -lp 3000 -o dump -vv
listening on [any] 3000 ...
 sent 0, rcvd 0

As you can see from the output, no packets are received by netcat before I 
terminate it, after nmap has reported the port is closed.

The packet counters in iptables are incremented however:

Extract from `iptables -t nat -L -v"

   12   720 DNAT       tcp  --  eth0   any     anywhere             
anywhere            tcp dpt:3001 to:127.0.0.1:3000

I added two -j LOG rules into the PREROUTING table, one before the DNAT 
rule and one after.

/var/log/messages shows that the packet reaches the PREROUTING chain but 
is not present immediately after the rule above, which shows that it was 
matched and netfilter handed it off for routing to 127.0.0.1.

Extract from /var/log/messages:

Mar 30 23:13:54 gateway kernel: IN=eth0 OUT= 
MAC=00:10:a7:07:bf:89:00:e0:18:f1:3c:b9:08:00 SRC=192.168.0.19 
DST=192.168.0.100 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63265 DF PROTO=TCP 
SPT=36128 DPT=3000 WINDOW=5840 RES=0x00 SYN URGP=0

For clarification, my FORWARD chain had a default ACCEPT policy for the 
duration of the test.

My only minor confusion comes from the fact enabling logging of martian 
packets (`echo 1 >/proc/sys/net/ipv4/conf/all/log_martians`) does not 
output any information to either syslog or messages.  If this were a 
martians problem I would have expected some form of logging output from 
enabling it.

I have not had time to inspect the kernel source file mentioned in the 
post I linked to.  It would be good to see if the match for packets to 
127/8 still counts a source of !127/8 as invalid, somebody here might be 
able to tell us.

Perhaps there is something quite fundamentally wrong with the method I 
used to test, if so I hope somebody can point this out to me.  I also 
hope the evidence I've provided gives enough basis for me to say that 
whilst DNAT works as far as netfilter is concerned that packets "just 
don't get there".  My assumption is that this is caused by the problem 
described in the archived message above; therefore DNAT to loopback will 
not work as expected.

Apologies for the long message, it is a consequence of my attempt at being 
thorough.

David

Re: Redirecting ports on localhost

[Tony Earnshaw]

ons, 31.03.2004 kl. 00.31 skrev David Cannings:
> avid,
> > Dunno if you're the one responsible for the general Netfilter HOWTO.
> > But if so, could you please change "iplimit" to "connlimit"? I've used
> > vi to great effect after txt2html for my own copy, but I frigged around
> > with iplimit for a while with the non-existent iplimit first. I was
> > *not* pleased.
> 
> Definitely not, the only way I contribute to netfilter is helping out on 
> the users mailing list.  I am unsure whether the source to the HOWTO 
> documents is available, perhaps you could submit diff's for what you 
> believe needs changing.

:g/iplimit/s//connlimit/g

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl