From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Grace Li" Subject: How does iptables redirect a packet that is not addressed to its local machine Date: Wed, 7 Apr 2004 18:16:07 -0700 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0033_01C41CCC.655E6E10" Return-path: To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org This is a multi-part message in MIME format. ------=_NextPart_000_0033_01C41CCC.655E6E10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi, I am just wondering if anybody could explain what happened in the = following experiments: Client (192.168.1.134) tries to connect to port 1888 of Server (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the = iptables has been instructed to redirect traffic on port 1888 to 2000 (iptables = -t nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 = ). The results of my experiments is that the application on Gateway who = listens to port 2000 could not get anything, while Server receives everything expected on its port 1888. So my question is that did iptables do = anything here? Many thanks, Grace ------=_NextPart_000_0033_01C41CCC.655E6E10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Hi,
 
I am just wondering if anybody could = explain what=20 happened in the following experiments:
 
Client (192.168.1.134) tries to connect to port 1888 of=20 Server
(192.168.1.115) through Gateway (192.168.1.1).  In the = Gateway,=20 the iptables
has been instructed to redirect traffic on port 1888 to = 2000=20 (iptables -t
nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j = REDIRECT=20 -to-port 2000 ).

The results of my experiments is that the = application on=20 Gateway who listens
to port 2000 could not get anything, while Server = receives everything
expected on its port 1888. So my question is that = did=20 iptables do anything
here?
 
Many thanks,
 
Grace

------=_NextPart_000_0033_01C41CCC.655E6E10-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nicholas E. Walker" Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Wed, 7 Apr 2004 18:44:32 -0400 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <20040407224432.GE15963@vernix.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: To: netfilter-devel@lists.netfilter.org Content-Disposition: inline In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote: > I am just wondering if anybody could explain what happened in the following experiments: > > Client (192.168.1.134) tries to connect to port 1888 of Server > (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the iptables > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ). > > The results of my experiments is that the application on Gateway who listens > to port 2000 could not get anything, while Server receives everything > expected on its port 1888. So my question is that did iptables do anything > here? If I understand what you are trying to do correctly, you need to use the DNAT target instead of the REDIRECT target. The REDIRECT target is for intercepting packets and redirecting them to ports on the gateway machine. Try: iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.115 --dport 1888 \ -j DNAT --to-destination 192.168.1.115:2000 I don't believe there is a target for re-mapping destination ports without re-mapping addresses. One cannot simply change the destination port on the packet as it passes through, because the source port on packets coming back from the server need to be mangled as well. Nicholas From mboxrd@z Thu Jan 1 00:00:00 1970 From: Henrik Nordstrom Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Thu, 8 Apr 2004 00:48:33 +0200 (CEST) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: References: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: netfilter-devel@lists.netfilter.org Return-path: To: Grace Li In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org On Wed, 7 Apr 2004, Grace Li wrote: > Hi, > > I am just wondering if anybody could explain what happened in the following experiments: > > Client (192.168.1.134) tries to connect to port 1888 of Server > (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the iptables > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ). Works here... > The results of my experiments is that the application on Gateway who listens > to port 2000 could not get anything, while Server receives everything > expected on its port 1888. So my question is that did iptables do anything > here? No idea. This is a kind of thing which has always worked for me, but you are the second person in a few days reporting this is not working.. Exacly what kernel and iptables version are you using on the gateway? What does "iptables-save -t nat" give? Regards Henrik From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Nicholas E. Walker" Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Wed, 7 Apr 2004 19:06:25 -0400 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <20040407230625.GF15963@vernix.org> References: <20040407224432.GE15963@vernix.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: To: netfilter-devel@lists.netfilter.org Content-Disposition: inline In-Reply-To: <20040407224432.GE15963@vernix.org> Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org I misread. Apologies. Nicholas On Wed, Apr 07, 2004 at 06:44:32PM -0400, Nicholas E. Walker wrote: > On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote: > > I am just wondering if anybody could explain what happened in the following experiments: > > > > Client (192.168.1.134) tries to connect to port 1888 of Server > > (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the iptables > > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t > > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ). > > > > The results of my experiments is that the application on Gateway who listens > > to port 2000 could not get anything, while Server receives everything > > expected on its port 1888. So my question is that did iptables do anything > > here? > > If I understand what you are trying to do correctly, you need to use the > DNAT target instead of the REDIRECT target. The REDIRECT target is for > intercepting packets and redirecting them to ports on the gateway > machine. > > Try: > > iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.115 --dport 1888 \ > -j DNAT --to-destination 192.168.1.115:2000 > > I don't believe there is a target for re-mapping destination ports > without re-mapping addresses. One cannot simply change the destination > port on the packet as it passes through, because the source port on > packets coming back from the server need to be mangled as well. > > Nicholas > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Phil Oester Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Wed, 7 Apr 2004 16:40:58 -0700 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <20040407234058.GA13050@linuxace.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: netfilter-devel@lists.netfilter.org Return-path: To: Grace Li Content-Disposition: inline In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Perhaps you haven't added a corresponding rule to the INPUT table to actually allow port 2000 to the gateway? Phil On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote: > Hi, > > I am just wondering if anybody could explain what happened in the following experiments: > > Client (192.168.1.134) tries to connect to port 1888 of Server > (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the iptables > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ). > > The results of my experiments is that the application on Gateway who listens > to port 2000 could not get anything, while Server receives everything > expected on its port 1888. So my question is that did iptables do anything > here? > > Many thanks, > > Grace > From mboxrd@z Thu Jan 1 00:00:00 1970 From: wanghtb@legend.com.cn Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Thu, 8 Apr 2004 09:47:15 +0800 Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: zheyinli@hotmail.com Return-path: To: netfilter-devel@lists.netfilter.org Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org Hi, I wonder if the Client and the Server are in the same network, under which the Gateway will send a ICMP Redirect message to make the Client access Server directly. Please check netmask of the Machines and use tcpdump packet in the Gateway to see what happens:-) >Hi, > >I am just wondering if anybody could explain what happened in the = >following experiments: >Client (192.168.1.134) tries to connect to port 1888 of Server >(192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the = >iptables >has been instructed to redirect traffic on port 1888 to 2000 (iptables = >-t >nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 = >). > >The results of my experiments is that the application on Gateway who = >listens >to port 2000 could not get anything, while Server receives everything >expected on its port 1888. So my question is that did iptables do = >anything >here? > >Many thanks, > >Grace From mboxrd@z Thu Jan 1 00:00:00 1970 From: zhi wang Subject: Re: How does iptables redirect a packet that is not addressed to its local machine Date: Wed, 7 Apr 2004 22:44:18 -0700 (PDT) Sender: netfilter-devel-admin@lists.netfilter.org Message-ID: <20040408054418.1592.qmail@web41701.mail.yahoo.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Netfilter Develop Return-path: To: Grace Li In-Reply-To: Errors-To: netfilter-devel-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Unsubscribe: , List-Archive: List-Id: netfilter-devel.vger.kernel.org > Client (192.168.1.134) tries to connect to port 1888 of Server > (192.168.1.115) through Gateway (192.168.1.1). In the Gateway, the iptables > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ). At the client execute: traceroute -n 192.168.1.115 to make sure that the client DID send the packet to the gateway __________________________________ Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway http://promotions.yahoo.com/design_giveaway/