Yet another local nat/port redirecting question

Yet another local nat/port redirecting question

[Henrik Martin]

Hi everyone. I've been trying to get the nat/redirect feature to work
on my Linux box for a while, and I just can't seem to get it to
function properly. What I'm trying to do is a simple port redirect
from port 80 to port 8080 on my box. Here's how it's set up:

SuSE Linux 10.2 (32 bit). Kernel version is 2.6.18.2-34. One ethernet
interface with a 192.168.X.X address (I'm forced to by my ISP). My ISP
lets through ports 80 and 443 plus SSH to my machine. 
Iptables version is 1.3.6.

All I want to do is run my web server as an ordinary user and having
it bind to port 8080 and then have my firewall redirect traffic from
port 80 to 8080.  I have a firewall running on the local machine and I
only let through ports 80, 443, and SSH. I'm using the SuSEFirewall
utilities to create this.  At first, I tried setting the REDIRECT
variable in SuSE's own firewall to do the port forwarding, but
couldn't get it to work. So I've basically pared it down to where I've
disabled the SuSE firewall, and I'm just doing the following on the
command line:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

From reading other posts on this list, it *should* work. Here's a
recap of what's happening:

# iptables --list -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

#iptables --list -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
# iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
# iptables --list -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

If I log into an external machine and try to telnet to my web server's
port, I can see the PREROUTING chain's packet counter increase, but 
not the OUTPUT. I'm not able to connect.

# iptables --list -n -t nat -v
Chain PREROUTING (policy ACCEPT 140K packets, 42M bytes)
 pkts bytes target     prot opt in     out     source               destination 
    3   180 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

Chain POSTROUTING (policy ACCEPT 140K packets, 42M bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 763 packets, 56801 bytes)
 pkts bytes target     prot opt in     out     source               destination 
    0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080


What am I doing wrong? Is this a bug, or is it the way I'm configuring
the firewall? I've tried everything, including specifying that the
redirect should go to localhost port 8080 over the lo interface, but
nothing seems to make a difference.

As a workaround, I've configured xinetd to redirect traffic on port 80
to 8080, but the downside of this is that the web server log files
will only show traffic from localhost, so I can't do any useful
traffic analysis.  I'd highly appreciate an example of how to set this
up properly using netfilter/iptables if someone has a solution to
this. Thanks much,

/Henrik

Re: Yet another local nat/port redirecting question

[Martijn Lievaart]

Henrik Martin wrote:
> All I want to do is run my web server as an ordinary user and having
> it bind to port 8080 and then have my firewall redirect traffic from
> port 80 to 8080.  I have a firewall running on the local machine and I
> only let through ports 80, 443, and SSH. I'm using the SuSEFirewall
> utilities to create this.  At first, I tried setting the REDIRECT
> variable in SuSE's own firewall to do the port forwarding, but
> couldn't get it to work. So I've basically pared it down to where I've
> disabled the SuSE firewall, and I'm just doing the following on the
> command line:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
>   

The output rule will never be hit, the packet is already redirected by 
the predirect rule. You don't need that second rule.
> If I log into an external machine and try to telnet to my web server's
> port, I can see the PREROUTING chain's packet counter increase, but 
> not the OUTPUT. I'm not able to connect.
>   

So this is expected.

> # iptables --list -n -t nat -v
> Chain PREROUTING (policy ACCEPT 140K packets, 42M bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>     3   180 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
>
> Chain POSTROUTING (policy ACCEPT 140K packets, 42M bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>
> Chain OUTPUT (policy ACCEPT 763 packets, 56801 bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>     0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
>
>
> What am I doing wrong? Is this a bug, or is it the way I'm configuring
> the firewall?
>   

This should work. It works for me, I use redirects quite frequently. The 
only thing I can think of is that the webserver listens on a specific IP 
and you try to connect to another.

HTH,
M4

Re: Yet another local nat/port redirecting question

[Henrik Martin]

On Tuesday 24 April 2007 22:50, Martijn Lievaart wrote:

> The output rule will never be hit, the packet is already redirected by
> the predirect rule. You don't need that second rule.

Ok I figured that was the case, but I had seen it in another example
so I thought I'd try it.

> This should work. It works for me, I use redirects quite frequently. The
> only thing I can think of is that the webserver listens on a specific IP
> and you try to connect to another.
>
> HTH,
> M4

What OS do you run? I'm running OpenSuSE 10.2. I've read a few
postings on the list that claim that some SuSE kernels have problems
with local port forwarding. BTW, I even tried to have it forward to
another host, but it didn't make a difference. I've also tried to
set /proc/sys/net/ipv4/ip_forward to 1, but it has no effect. I've
tried redirecting to ports that are bound via 0.0.0.0, 127.0.0.1, etc,
and it doesn't matter. I simply cannot get it to work and it really
frustrates me. Rgds,

/Henrik

Re: Yet another local nat/port redirecting question

[Gáspár Lajos]

As Martijn wrote: the problem could be that you run the web server 
binded to a specific IP.

What is the ouput of this? :

netstat -a -n | grep 8080


Swifty

Re: Yet another local nat/port redirecting question

[Henrik Martin]

On Thursday 26 April 2007 03:10, Gáspár Lajos wrote:

> As Martijn wrote: the problem could be that you run the web server
> binded to a specific IP.
>
> What is the ouput of this? :
>
> netstat -a -n | grep 8080
>
>
> Swifty

As I mentioned in the follow-up posting, I've tried forwarding to
ports that are bound to 0.0.0.0, 127.0.0.1, the 192.168.x.x address,
etc. There's absolutely no difference in behavior, it all fails with
the same symptoms. Here's netstat's output:

cobra:/home/basil # netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          127.0.0.1:24451         
ESTABLISHED
tcp        0      0 :::225                  :::*                    LISTEN
tcp        0      0 127.0.0.1:8005          :::*                    LISTEN
tcp        0      0 :::8009                 :::*                    LISTEN
tcp        0      0 :::8080                 :::*                    LISTEN
tcp        0      0 ::1:25                  :::*                    LISTEN
tcp        0      0 ::1:6010                :::*                    LISTEN
tcp        0      0 :::8443                 :::*                    LISTEN

I've tried forwarding port 80 to basically every one of these ports
and then attempted a telnet connection to that port. If I do it from
the "outside", the connection just hangs like the port is being
filtered. If I do a "telnet localhost 8080" I get:

Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1...
telnet: connect to address ::1: Connection refused

According to the iptables man page, locally generated packets are
mapped to the 127.0.0.1 address, so this should work I'd think.

There's got to be other people running OpenSuSE 10.X out there that
are trying to do the same thing. Does anyone have a success story for
port forwarding on that platform? I've scoured the SuSE blogs and
support sites, but haven't really found anything. And Novell makes you
go through hoops just to sign up so you can post things to their
forums :-(
Thanks,

/Henrik