redirect to 127.0.0.1 [corrected]

redirect to 127.0.0.1 [corrected]

[bagwan ali]

Hi All,

I have a problem redirecting traffic from $SERVER:11000 to 127.0.0.1:10001. 
The situation is that I need more than one serverprocess listening to ONE 
specific port in this case port 11000. Ofcourse this is  not possible, but 
there is only ONE client connection at a time to ONE serverprocess. So 
instead that the process is listening on $SERVER:11000, it is listening on 
127.0.0.1:10001 and the second serverprocess is listening on 127.0.0.1:10002 
and so on. So I can depending on the source IP address redirect traffic from 
$SERVER:11000 to 127.0.0.1:$FREEPORT. Let me give an example in pseudo 
firewall rules:

$CLIENT_ONE    to $SERVER:11000 REDIRECT 127.0.0.1:10001
$CLIENT_TWO   to $SERVER:11000 REDIRECT 127.0.0.1:10002
$CLIENT_THREE to $SERVER:11000 REDIRECT 127.0.0.1:10003

I tried the following to achive this in iptables and failed:

iptables -t nat -A PREROUTING -p tcp -s $CLIENT_ONE -d $SERVER --dport 11000 
-j REDIRECT --to-ports 11001
iptables -t nat -A PREROUTING -p tcp -s $CLIENT_TWO -d $SERVER --dport 11000 
-j REDIRECT --to-ports 11002
iptables -t nat -A PREROUTING -p tcp -s $CLIENT_THREE -d $SERVER --dport 
11000 -j REDIRECT --to-ports 11003

where
$SERVER           = 192.168.2.1
$CLIENT_ONE    = 192.168.2.50
$CLIENT_TWO   = 192.168.2.51
$CLIENT_THREE = 192.168.2.52

The problem is that the client and server cannot establish a connection. Who 
can help me solve this porblem!!

Thanks in advance

-Luc

My OS is Fedora Core 3 (kernel 2.6.11) with iptables v1.2.11.
Here are my iptable rules:

iptables -L -vn && iptables -t nat -L -vn
[BEGIN RULES]
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               
destination
813K 2200M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
171K 8306K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 
           state RELATED,ESTABLISHED
8338  400K ACCEPT     all  --  *      *       192.168.2.0/24       0.0.0.0/0
    0     0 REJECT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0           reject-with icmp-port-unreachable
  885 47572 LOG        all  --  *      *       0.0.0.0/0            
0.0.0.0/0           LOG flags 0 level 4
  885 47572 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 276K packets, 340M bytes)
pkts bytes target     prot opt in     out     source               
destination
813K 2200M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Chain PREROUTING (policy ACCEPT 7873 packets, 474K bytes)
pkts bytes target     prot opt in     out     source               
destination
    0     0 REDIRECT   tcp  --  *      *       192.168.2.50         
192.168.2.1         tcp dpt:11000 redir ports 11001
    0     0 REDIRECT   tcp  --  *      *       192.168.2.51         
192.168.2.1         tcp dpt:11000 redir ports 11002
    0     0 REDIRECT   tcp  --  *      *       192.168.2.52         
192.168.2.1         tcp dpt:11000 redir ports 11003

Chain POSTROUTING (policy ACCEPT 5086 packets, 322K bytes)
pkts bytes target     prot opt in     out     source               
destination

Chain OUTPUT (policy ACCEPT 5086 packets, 322K bytes)
pkts bytes target     prot opt in     out     source               
destination
[END RUULES]

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Re: redirect to 127.0.0.1 [corrected]

[Taylor, Grant]

> I have a problem redirecting traffic from $SERVER:11000 to 
> 127.0.0.1:10001. The situation is that I need more than one 
> serverprocess listening to ONE specific port in this case port 11000. 
> Ofcourse this is  not possible, but there is only ONE client connection 
> at a time to ONE serverprocess. So instead that the process is listening 
> on $SERVER:11000, it is listening on 127.0.0.1:10001 and the second 
> serverprocess is listening on 127.0.0.1:10002 and so on. So I can 
> depending on the source IP address redirect traffic from $SERVER:11000 
> to 127.0.0.1:$FREEPORT. Let me give an example in pseudo firewall rules:

This is an interesting problem and might be a bit tricky to solve.

> I tried the following to achive this in iptables and failed:
> 
> iptables -t nat -A PREROUTING -p tcp -s $CLIENT_ONE -d $SERVER --dport 
> 11000 -j REDIRECT --to-ports 11001
> iptables -t nat -A PREROUTING -p tcp -s $CLIENT_TWO -d $SERVER --dport 
> 11000 -j REDIRECT --to-ports 11002
> iptables -t nat -A PREROUTING -p tcp -s $CLIENT_THREE -d $SERVER --dport 
> 11000 -j REDIRECT --to-ports 11003

...

> The problem is that the client and server cannot establish a connection. 
> Who can help me solve this porblem!!

Hmm, according to your earlier paragraph your processes were listening on port 10001, 10002, and 10003, not 11001 - 11003.  This could explain the failure that you had.

> Thanks in advance

No problem.

If you are interested in trying what I'm going to mention below you will need to patch your kernel and IPTables via the netfilter patch-o-matic and recompile both of them.

You are presently using a static one to one mapping of client IP to listening server process.  If you are wanting to pseudo round - robin redirect incoming connections to a listening process you could try something like the following:

iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 0 -j REDIRECT --to-ports 10001
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 1 -j REDIRECT --to-ports 10002
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 2 -j REDIRECT --to-ports 10003
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 3 -j REDIRECT --to-ports 10004

I would be tempted to clean things up a bit and have my different listening processes listening on 127.0.0.1:11000, :11001, :11002, :11003 so that your rules would look something like this:

iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 0 -j REDIRECT --to-ports 11000
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 1 -j REDIRECT --to-ports 11001
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 2 -j REDIRECT --to-ports 11002
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 3 -j REDIRECT --to-ports 11003

Seeing as how I don't have any way to test the functionality of this all I can do to test it is to see if I can create such a table / chain structure on my firewall at the house.  I was able to successfully do this so I think you might be able to get it to work.  The idea behind this is to round robin redirect each NEW connection to a listening process (presuming that the process that it gets redirected to is not busy).  I can not test this but I think that the NAT code will only need to be processed on NEW connections.  (Does any one have any comments on this?)

This would allow the last digit of the listening port to be the same as the packet number in the nth match extension that would be matched.  IMHO this makes things a bit easier to read and less confusing down the road in such that there will be less ambiguity if you ever need to work on things.

I personally only wrote out the rules for 4 listening processes.  If you would like to have more than 4 listening processes all you would need to do is change the "--every 4" entry to read the number of listening processes that you do have and update the "--packet" entries accordingly for the new listening ports.

I know that I took your question and ran with it.  I originally read that this is the type of solution that you were wanting and only later after thinking about and rereading your question noticed the this was not the case but rather how to make the static one to one mapping work and subsequently saw the port mismatch.

> My OS is Fedora Core 3 (kernel 2.6.11) with iptables v1.2.11.
> Here are my iptable rules:

You will probably need to download recent kernel, iptables, and patch-o-matic sources and compile them to take advantage of the nth match to try what I have suggested as I'm doubting that FC3 has nth support in the kernel.



Grant. . . .

Re: redirect to 127.0.0.1 [corrected]

[Taylor, Grant]

In light of Jason's response about dealing with the kernel's martian code I think a rule like this needs to be added to the solution:

iptables -t mangle -A PREROUTING -d $SERVER -p tcp --dport 11000 -j ROUTE --iif lo --continue
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 0 -j DNAT --to-destination 127.0.0.1:11000
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 1 -j DNAT --to-destination 127.0.0.1:11001
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 2 -j DNAT --to-destination 127.0.0.1:11002
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state --state NEW -m nth --every 4 --packet 3 -j DNAT --to-destination 127.0.0.1:11003



Grant. . . .

Re: redirect to 127.0.0.1 [corrected]

[Jason Opperisano]

On Tue, May 17, 2005 at 03:06:46PM -0500, Taylor, Grant wrote:
> In light of Jason's response about dealing with the kernel's martian code I 
> think a rule like this needs to be added to the solution:
> 
> iptables -t mangle -A PREROUTING -d $SERVER -p tcp --dport 11000 -j ROUTE 
> --iif lo --continue
> iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state 
> --state NEW -m nth --every 4 --packet 0 -j DNAT --to-destination 
> 127.0.0.1:11000
> iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state 
> --state NEW -m nth --every 4 --packet 1 -j DNAT --to-destination 
> 127.0.0.1:11001
> iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state 
> --state NEW -m nth --every 4 --packet 2 -j DNAT --to-destination 
> 127.0.0.1:11002
> iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m state 
> --state NEW -m nth --every 4 --packet 3 -j DNAT --to-destination 
> 127.0.0.1:11003

just 'cause i'm feelin' picky today...  "--state NEW" in -t nat is
redundant, as only "--state NEW" packets ever traverse -t nat.

-j

--
"Stewie: Ha ha. Oh, this is so good it just HAS to be fattening."
        --Family Guy

Re: redirect to 127.0.0.1 [corrected]

[Taylor, Grant]

> just 'cause i'm feelin' picky today...  "--state NEW" in -t nat is
> redundant, as only "--state NEW" packets ever traverse -t nat.

Well pick away.  ;)  (Friendly) Banter back and forth like this is how I have learned a LOT of things over the years.  :)



Grant. . . .

Re: redirect to 127.0.0.1 [corrected]

[Taylor, Grant]

> just 'cause i'm feelin' picky today...  "--state NEW" in -t nat is
> redundant, as only "--state NEW" packets ever traverse -t nat.

Ok, let's try for version 0.3.  :P~

iptables -t mangle -A PREROUTING -d $SERVER -p tcp --dport 11000 -j ROUTE --iif lo --continue
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m nth --every 4 --packet 0 -j DNAT --to-destination 127.0.0.1:11000
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m nth --every 4 --packet 1 -j DNAT --to-destination 127.0.0.1:11001
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m nth --every 4 --packet 2 -j DNAT --to-destination 127.0.0.1:11002
iptables -t nat -A PREROUTING -d $SERVER -p tcp --dport 11000 -m nth --every 4 --packet 3 -j DNAT --to-destination 127.0.0.1:11003



Grant. . . .

Re: redirect to 127.0.0.1 [corrected]

[Jason Opperisano]

On Tue, May 17, 2005 at 05:04:30PM +0000, bagwan ali wrote:
> Hi All,
> 
> I have a problem redirecting traffic from $SERVER:11000 to 127.0.0.1:10001. 
> The situation is that I need more than one serverprocess listening to ONE 
> specific port in this case port 11000. Ofcourse this is  not possible, but 
> there is only ONE client connection at a time to ONE serverprocess. So 
> instead that the process is listening on $SERVER:11000, it is listening on 
> 127.0.0.1:10001 and the second serverprocess is listening on 
> 127.0.0.1:10002 and so on. So I can depending on the source IP address 
> redirect traffic from $SERVER:11000 to 127.0.0.1:$FREEPORT. Let me give an 
> example in pseudo firewall rules:

is it a new quarter already?

1) REDIRECT does not rewrite the dst IP to be 127.0.0.1, it rewrites the 
   dst IP to be IP of the inbound interface.  this is *not*
   configurable.
   
2) DNAT allows you to configure the IP address that the dst IP will be 
   re-written to; however, a DNAT --to 127.0.0.1 will *not* work, as the 
   packet will be dropped by the linux kernel's martian routing code 
   (packets destined for 127/8 must not be received "on the wire.")
   
3) since it's been a quarter or so since someone's asked this, i just 
   had an idea--this comes with no guarantee or warranty express nor
   implied:

   # change the input interface on packets to be DNAT-ed to 127.0.0.1
   # to be the loopback interface
   iptables -t mangle -A PREROUTING -p tcp -s $CLIENT_ONE \ 
     -d $SERVER --dport 11000 -j ROUTE --iif lo --continue
     
   # DNAT packets to 127.0.0.1
   iptables -t nat -A PREROUTING -p tcp -s $CLIENT_ONE \ 
     -d $SERVER --dport 11000 -j DNAT --to 127.0.0.1:11001

i don't even know if the above rules will apply, much less work.

-j

--
"Lois: Peter, you're drunk again.
 Peter: No, I'm just exhausted because I've been up all night drinking."
        --Family Guy