Redirect ports on localhost

Redirect ports on localhost

[Ben Yerushalmi]

Hi,

I'm trying to redirect traffic on my DNS server. I have bind listening 
on port 5300 (UDP) instead of 53. I've got it working from the internal 
network but seem to have problem on redirecting localhost traffic. I've 
tried changing both PREROUTING and OUTPUT chains in the nat table but it 
doesn't seem to help.

iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT 
--to-ports 5300

and

iptables -A OUTPUT -t nat -p udp -d localhost  --dport domain -j 
REDIRECT --to-ports 5300


Anyone have luck doing this? What am I missing?

Thanks,
Ben

Re: Redirect ports on localhost

[forum]

> I'm trying to redirect traffic on my DNS server. I have bind listening
> on port 5300 (UDP) instead of 53. I've got it working from the internal
> network but seem to have problem on redirecting localhost traffic. I've
> tried changing both PREROUTING and OUTPUT chains in the nat table but it
> doesn't seem to help.
> 
> iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT
> --to-ports 5300

Absolutely incredible, within the past 15 minutes I have been trying to do 
the exact same thing with you -- also, with no luck. Using tcpdump I know 
that the port 53 packets are there, but from the DNS server logs I know 
that the packets never arrive at port 5300. I tried (unsuccessfuly) to add 
essentially the same PREROUTING rule.

Since this worked on my external interfaces but not lo, I'm thinking that 
maybe PREROUTING doesn't apply to lo? I don't know. The caveat I had 
encountered when doing this for another interface was making sure that the 
packet is accepted on that port in the INPUT chain, but that's not the case 
here for me.

-- 
forum@users.pc9.org

RE: Redirect ports on localhost

[Mark E. Donaldson]

I remember struggling with this a while.  Beat my head against the wall for
a month.  I finally discovered (after enabling bind debugging mode) the
problem was in my named.conf file:

##########################
# PORTS
##########################
# The listen-on record contains a list of local network interfaces to listen
on. Optionally the port can be
# specified. Default is to listen on all interfaces found on your system.
The default port is 53.
	listen-on port 53 { 192.168.1.1; };
	query-source address * port 53;

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of
forum@users.pc9.org
Sent: Tuesday, March 23, 2004 6:01 PM
To: netfilter@lists.netfilter.org
Subject: Re: Redirect ports on localhost

> I'm trying to redirect traffic on my DNS server. I have bind listening 
> on port 5300 (UDP) instead of 53. I've got it working from the 
> internal network but seem to have problem on redirecting localhost 
> traffic. I've tried changing both PREROUTING and OUTPUT chains in the 
> nat table but it doesn't seem to help.
> 
> iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT 
> --to-ports 5300

Absolutely incredible, within the past 15 minutes I have been trying to do
the exact same thing with you -- also, with no luck. Using tcpdump I know
that the port 53 packets are there, but from the DNS server logs I know that
the packets never arrive at port 5300. I tried (unsuccessfuly) to add
essentially the same PREROUTING rule.

Since this worked on my external interfaces but not lo, I'm thinking that
maybe PREROUTING doesn't apply to lo? I don't know. The caveat I had
encountered when doing this for another interface was making sure that the
packet is accepted on that port in the INPUT chain, but that's not the case
here for me.

-- 
forum@users.pc9.org

RE: Redirect ports on localhost

[forum]

> I remember struggling with this a while.  Beat my head against the wall
> for a month.  I finally discovered (after enabling bind debugging mode)
> the problem was in my named.conf file:
> 
> ##########################
> # PORTS
> ##########################
> # The listen-on record contains a list of local network interfaces to
> listen on. Optionally the port can be
> # specified. Default is to listen on all interfaces found on your
> system. The default port is 53.
>     listen-on port 53 { 192.168.1.1; };
>     query-source address * port 53;

This isn't the case for me, though -- in fact, I'm not using BIND but 
rather rbldnsd and specifying that I wish to listen on all interfaces. And 
I know it does respond, because if I run 'nslookup' and then 'set port=
5300' and make my query, there is a response.

But if the port is on the default 53, the PREROUTING doesn't appear to 
rewrite the destination port.

-- 
forum@users.pc9.org

Re: Redirect ports on localhost

[Alexander Samad]

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

On Tue, Mar 23, 2004 at 01:10:21PM -0700, Ben Yerushalmi wrote:
> Hi,
> 
> I'm trying to redirect traffic on my DNS server. I have bind listening 
> on port 5300 (UDP) instead of 53. I've got it working from the internal 
> network but seem to have problem on redirecting localhost traffic. I've 
> tried changing both PREROUTING and OUTPUT chains in the nat table but it 
> doesn't seem to help.
> 
> iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT 
> --to-ports 5300
> 
> and
> 
> iptables -A OUTPUT -t nat -p udp -d localhost  --dport domain -j 
> REDIRECT --to-ports 5300
might be of target but will the destination be localhost or the real ip
address ?

A

> 
> 
> Anyone have luck doing this? What am I missing?
> 
> Thanks,
> Ben
> 
> 
> 
> 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Redirect ports on localhost

[Ben Yerushalmi]

I have bind listening on port 5300 so named.conf isn't the problem.

I've been using tcpdump to try and troubleshoot the packets. Both the 
source and destination of the packet are localhost. I noticed that by 
changing the OUTPUT (and enabling "NAT_LOCAL" in my linux 2.4.25 
kernel), tcpdump is fooled into thinking the packet is headed to port 
5300 but I think by that point the packet has passed the application 
layer and bind doesn't see the packet.

Also, I have the filter table accepting EVERYTHING.

# iptables -L -vn
Chain INPUT (policy ACCEPT 18907 packets, 1521K bytes)
  pkts bytes target     prot opt in     out     source               
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 18208 packets, 2540K bytes)
  pkts bytes target     prot opt in     out     source               
destination

#

On Mar 23, 2004, at 1:10 PM, Ben Yerushalmi wrote:

> Hi,
>
> I'm trying to redirect traffic on my DNS server. I have bind listening 
> on port 5300 (UDP) instead of 53. I've got it working from the 
> internal network but seem to have problem on redirecting localhost 
> traffic. I've tried changing both PREROUTING and OUTPUT chains in the 
> nat table but it doesn't seem to help.
>
> iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT 
> --to-ports 5300
>
> and
>
> iptables -A OUTPUT -t nat -p udp -d localhost  --dport domain -j 
> REDIRECT --to-ports 5300
>
>
> Anyone have luck doing this? What am I missing?
>
> Thanks,
> Ben
>
>

Re: Redirect ports on localhost

[al clethero]

Recently I was trying to redirect traffic on the  localhost though for
different reasons. I finally came to the conclusion that localhost
packets aren't prerouted. Can anyone confirm this?

al

On Wed, 2004-03-24 at 15:14, Alexander Samad wrote:
> On Tue, Mar 23, 2004 at 01:10:21PM -0700, Ben Yerushalmi wrote:
> > Hi,
> > 
> > I'm trying to redirect traffic on my DNS server. I have bind listening 
> > on port 5300 (UDP) instead of 53. I've got it working from the internal 
> > network but seem to have problem on redirecting localhost traffic. I've 
> > tried changing both PREROUTING and OUTPUT chains in the nat table but it 
> > doesn't seem to help.
> > 
> > iptables -A PREROUTING -t nat -p udp -i lo --dport domain -j REDIRECT 
> > --to-ports 5300
> > 
> > and
> > 
> > iptables -A OUTPUT -t nat -p udp -d localhost  --dport domain -j 
> > REDIRECT --to-ports 5300
> might be of target but will the destination be localhost or the real ip
> address ?
> 
> A
> 
> > 
> > 
> > Anyone have luck doing this? What am I missing?
> > 
> > Thanks,
> > Ben
> > 
> > 
> > 
> > 

Re: Redirect ports on localhost

[Ben Yerushalmi]

Looks like changing the OUTPUT chain did actually work in redirecting 
localhost traffic. On the Linux 2.4 kernel you will need to enable the 
"NF_NAT_LOCAL" kernel option.

Thanks everyone for their help.

Ben

Re: Redirect ports on localhost

[Fabiano Bonin]

>
>
>Date: Thu, 25 Mar 2004 00:34:11 -0700
>From: Ben Yerushalmi <beny@pd.verio.net>
>Subject: Re: Redirect ports on localhost
>To: netfilter@lists.netfilter.org
>
>Looks like changing the OUTPUT chain did actually work in redirecting 
>localhost traffic. On the Linux 2.4 kernel you will need to enable the 
>"NF_NAT_LOCAL" kernel option.
>
>Thanks everyone for their help.
>
>Ben
>  
>
Could you provide a complete example of how to do all this?
I think it will solve some of my problems.

Thanks

Re: Redirect ports on localhost

[David Cannings]

On Thursday 25 March 2004 19:47, Fabiano Bonin wrote:
> >From: Ben Yerushalmi <beny@pd.verio.net>
> >Looks like changing the OUTPUT chain did actually work in redirecting
> >localhost traffic. On the Linux 2.4 kernel you will need to enable the
> >"NF_NAT_LOCAL" kernel option.
> Could you provide a complete example of how to do all this?
> I think it will solve some of my problems.

You'll need to enable the option CONFIG_IP_NF_NAT_LOCAL.  Using `make 
menuconfig`, the relevant options are found:

In 2.4:

Under "Networking options -> IP: Netfilter Configuration -> NAT of local 
connections"

In 2.6:

Under "Device Drivers  -> Networking Support -> Networking Options -> 
Network packet filtering (replaces ipchains) -> IP Netfilter 
Configuration"

In both you will also have to enable "Full NAT" and "iptables support".  
This will let you use NAT with connections that originate locally, ie 
from processes on your iptables machine.  The help for the option says 
there should be more on the netfilter site, http://www.netfilter.org.

David

Re: Redirect ports on localhost

[Ben Yerushalmi]

Here's what I did:

iptables -A OUTPUT -t nat -p udp -o lo -d localhost --dport 53 -j 
REDIRECT --to-ports 5300

Should work for you.
Ben

Re: Redirect ports on localhost

[forum]

> Here's what I did:
> 
> iptables -A OUTPUT -t nat -p udp -o lo -d localhost --dport 53 -j
> REDIRECT --to-ports 5300
> 
> Should work for you.

Thanks, works for me too!

-- 
forum@users.pc9.org