Temporary redirection with DNAT and SNAT

Temporary redirection with DNAT and SNAT

[Kirk]

Hello,

I have to shutdown a proxy server for a few days and I need to
redirect its traffic to a server behind an iptables firewall. Here's
what I want to do:


Original request to $PUBLIC_IP:80 is redirected  to $PRIVATE_IP:2050
(machine behind firewall)

Packets from $PRIVATE_IP:2050 come out of the firewall as coming from
$PUBLIC_IP:80


I binded the proxy's public IP to the firewall's  external interface
(eth0) and added the following rules:

I think I got the first part right.
#test for ezproxy
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 2050 -j ACCEPT

But I'm having problems with the second part. The SNAT rule:
-I POSTROUTING -s 192.168.0.3 --sport 2050  -o eth0 -j SNAT --to 130.17.174.108

#This one seems OK too.
-A PREROUTING -i eth0 -p tcp -d $PUBLIC_IP --dport  80 -j DNAT --to
$PRIVATE_IP:2050


The SNAT rule generates the error:
Applying iptables firewall rules: iptables-restore v1.2.11: Unknown
arg `--sport'

One of the restrictions I have is that *only* the packets from
$PRIVATE_IP:2050 can go out as coming from $PUBLIC_IP:80.

Could someone provide help to solve this problem?

Thanks.
-K

Re: Temporary redirection with DNAT and SNAT

[Taylor, Grant]

Kirk wrote:
> Hello,
> 
> I have to shutdown a proxy server for a few days and I need to
> redirect its traffic to a server behind an iptables firewall. Here's
> what I want to do:
> 
> Original request to $PUBLIC_IP:80 is redirected  to $PRIVATE_IP:2050
> (machine behind firewall)
> 
> Packets from $PRIVATE_IP:2050 come out of the firewall as coming from
> $PUBLIC_IP:80
> 
> I binded the proxy's public IP to the firewall's  external interface
> (eth0) and added the following rules:
> 
> I think I got the first part right.
> #test for ezproxy
> -A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 2050 -j ACCEPT

Do you have any other rules in your FORWARD chain that will allow the rest of the traffic flow through to the Proxy, i.e. --state ESTABLISHED?  Correspondingly do you have any rules that will prevent the traffic that is flowing from the proxy in eth1 and back out eth0?  This could get you down the road.

> But I'm having problems with the second part. The SNAT rule:
> -I POSTROUTING -s 192.168.0.3 --sport 2050  -o eth0 -j SNAT --to 130.17.174.108

You will have to specify a protocol "-p tcp" to use any port definitions.

> #This one seems OK too.
> -A PREROUTING -i eth0 -p tcp -d $PUBLIC_IP --dport  80 -j DNAT --to
> $PRIVATE_IP:2050
> 
> The SNAT rule generates the error:
> Applying iptables firewall rules: iptables-restore v1.2.11: Unknown
> arg `--sport'

*nod* see above.

> One of the restrictions I have is that *only* the packets from
> $PRIVATE_IP:2050 can go out as coming from $PUBLIC_IP:80.

If you are really paranoid that this will happen you could write a rule that would drop any traffic that was not from the internal proxy.

-A FORWARD -s ! 192.168.0.3 -p tcp --sport 80 -j DROP



Grant. . . .

Re: Temporary redirection with DNAT and SNAT

[Kirk]

Thanks for your help. I solved the problem.
First, I'll answer your questions then I'll explain the fix.

Grant,
>Do you have any other rules in your FORWARD chain that will allow the
rest of the traffic flow >through to the Proxy, i.e. --state
ESTABLISHED?  Correspondingly do you have any rules that >will prevent
the traffic that is flowing from the proxy in eth1 and back out eth0? 
This could get >you down the road.

Yes, I have FORWARD rules and I allow ESTABLISHED connections.  The
other 5 servers behind the firewall work fine. I did check for typos
but I did not find any.

>You will have to specify a protocol "-p tcp" to use any port definitions.
No typos but.. right, I was missing the protocol. I added the protocol
to the rules and I was able to start the connection to the server but
the server had problems replying to the client so the connection was
dropped.

To Jim,

>I think the difference is that the SNAT rule does not
>specify the protocol the way the DNAT rule does ( -p tcp ).
>You can only specify a source port for a
>protocol that uses the concept of a "port".
You might be right I fixed the syntax of my rules and I still did not
get the set up to work.


If you are interested, here's what I did. 

1. Added the proxy's public IP to the firewall's external interface.
ip addr add $PROXY_IP/23 dev eth0

2. Added a second private IP to the server that will be handling the
requests for the offline server (eth0:0).

Now I have an "extra" machine that will be replacing the offline proxy.

3. Configured proxy to listen on eth0:0 192.168.0.9:80
4. Iptables rules

-A FORWARD -i eth0 -o eth1 -p tcp  -d 192.168.0.9 --dport 80 -j ACCEPT

-I POSTROUTING -s 192.168.0.9 -o eth0 -j SNAT --to $PROXY_IP
-A PREROUTING -i eth0 -p tcp -d $PROXY_IP --dport 80 -j DNAT --to 192.168.0.9:80

My set up seems to be working fine.
Thanks again for your help.
-K

Re: Temporary redirection with DNAT and SNAT

[Taylor, Grant]

> My set up seems to be working fine.
> Thanks again for your help.

I'm glad that everything worked out in the end.  :)



Grant. . . .