How does iptables redirect a packet that is not addressed to its local machine

How does iptables redirect a packet that is not addressed to its local machine

[Grace Li]

[-- Attachment #1: Type: text/plain, Size: 653 bytes --]

Hi,

I am just wondering if anybody could explain what happened in the following experiments:

Client (192.168.1.134) tries to connect to port 1888 of Server
(192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).

The results of my experiments is that the application on Gateway who listens
to port 2000 could not get anything, while Server receives everything
expected on its port 1888. So my question is that did iptables do anything
here?

Many thanks,

Grace


[-- Attachment #2: Type: text/html, Size: 1314 bytes --]

Re: How does iptables redirect a packet that is not addressed to its local machine

[Nicholas E. Walker]

On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote:
> I am just wondering if anybody could explain what happened in the following experiments:
> 
> Client (192.168.1.134) tries to connect to port 1888 of Server
> (192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
> has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
> nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).
> 
> The results of my experiments is that the application on Gateway who listens
> to port 2000 could not get anything, while Server receives everything
> expected on its port 1888. So my question is that did iptables do anything
> here?

If I understand what you are trying to do correctly, you need to use the
DNAT target instead of the REDIRECT target.  The REDIRECT target is for
intercepting packets and redirecting them to ports on the gateway
machine.

Try:

iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.115 --dport 1888 \
  -j DNAT --to-destination 192.168.1.115:2000

I don't believe there is a target for re-mapping destination ports
without re-mapping addresses.  One cannot simply change the destination
port on the packet as it passes through, because the source port on
packets coming back from the server need to be mangled as well.

Nicholas

Re: How does iptables redirect a packet that is not addressed to its local machine

[Nicholas E. Walker]

I misread.  Apologies.

Nicholas

On Wed, Apr 07, 2004 at 06:44:32PM -0400, Nicholas E. Walker wrote:
> On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote:
> > I am just wondering if anybody could explain what happened in the following experiments:
> > 
> > Client (192.168.1.134) tries to connect to port 1888 of Server
> > (192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
> > has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
> > nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).
> > 
> > The results of my experiments is that the application on Gateway who listens
> > to port 2000 could not get anything, while Server receives everything
> > expected on its port 1888. So my question is that did iptables do anything
> > here?
> 
> If I understand what you are trying to do correctly, you need to use the
> DNAT target instead of the REDIRECT target.  The REDIRECT target is for
> intercepting packets and redirecting them to ports on the gateway
> machine.
> 
> Try:
> 
> iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.115 --dport 1888 \
>   -j DNAT --to-destination 192.168.1.115:2000
> 
> I don't believe there is a target for re-mapping destination ports
> without re-mapping addresses.  One cannot simply change the destination
> port on the packet as it passes through, because the source port on
> packets coming back from the server need to be mangled as well.
> 
> Nicholas
> 

Re: How does iptables redirect a packet that is not addressed to its local machine

[Henrik Nordstrom]

On Wed, 7 Apr 2004, Grace Li wrote:

> Hi,
> 
> I am just wondering if anybody could explain what happened in the following experiments:
> 
> Client (192.168.1.134) tries to connect to port 1888 of Server
> (192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
> has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
> nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).

Works here...


> The results of my experiments is that the application on Gateway who listens
> to port 2000 could not get anything, while Server receives everything
> expected on its port 1888. So my question is that did iptables do anything
> here?

No idea. This is a kind of thing which has always worked for me, but you
are the second person in a few days reporting this is not working..

Exacly what kernel and iptables version are you using on the gateway?

What does "iptables-save -t nat" give?

Regards
Henrik

Re: How does iptables redirect a packet that is not addressed to its local machine

[Phil Oester]

Perhaps you haven't added a corresponding rule to the INPUT table
to actually allow port 2000 to the gateway?

Phil

On Wed, Apr 07, 2004 at 06:16:07PM -0700, Grace Li wrote:
> Hi,
> 
> I am just wondering if anybody could explain what happened in the following experiments:
> 
> Client (192.168.1.134) tries to connect to port 1888 of Server
> (192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
> has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
> nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).
> 
> The results of my experiments is that the application on Gateway who listens
> to port 2000 could not get anything, while Server receives everything
> expected on its port 1888. So my question is that did iptables do anything
> here?
> 
> Many thanks,
> 
> Grace
> 

Re: How does iptables redirect a packet that is not addressed to its local machine

[zhi wang]

> Client (192.168.1.134) tries to connect to port 1888 of Server
> (192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the iptables
> has been instructed to redirect traffic on port 1888 to 2000 (iptables -t
> nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 ).

At the client execute:
traceroute -n 192.168.1.115
to make sure that the client DID send the packet to the gateway

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

Re: How does iptables redirect a packet that is not addressed to its local machine

[wanghtb]

Hi, I wonder if the Client and the Server are in the same network,
under which the Gateway will send a ICMP Redirect message to
make the Client access Server directly.

Please check netmask of the Machines and use tcpdump packet in the 
Gateway to see what happens:-)

>Hi,
>
>I am just wondering if anybody could explain what happened in the =
>following experiments:

>Client (192.168.1.134) tries to connect to port 1888 of Server
>(192.168.1.115) through Gateway (192.168.1.1).  In the Gateway, the =
>iptables
>has been instructed to redirect traffic on port 1888 to 2000 (iptables =
>-t
>nat -A PREROUTING -i eth0 -p tcp --dport 1888 -j REDIRECT -to-port 2000 =
>).
>
>The results of my experiments is that the application on Gateway who =
>listens
>to port 2000 could not get anything, while Server receives everything
>expected on its port 1888. So my question is that did iptables do =
>anything
>here?
>
>Many thanks,
>
>Grace