Re: simple netfilter machine redirection

Re: simple netfilter machine redirection

[Justin Piszcz]

On Sun, 16 Mar 2008, Marty Leisner wrote:

> I want to accomplish something simple with iptables..
> (I've used IPtables successfully without really understanding how to do
> something from scratch -- I just followed "recipes")
>
> I want machine A to redirect port 80 to machine B.
>
> What's a way to do it?  (seems simple enough).
>
> I've tried a number of ways, and nothing seems to work...
>
> (the machine isn't a firewall)
>
> marty

152] How do I forward a port from the internet to the LAN? iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 22 -j DNAT --to 192.168.0.5:22

Forward port 22 -> internally to host 192.168.0.5:22 for instance.

.. and yes I did test this just now, it still works :)

Justin.

Re: simple netfilter machine redirection

[mouss]

Justin Piszcz wrote:
>
>
> On Sun, 16 Mar 2008, Marty Leisner wrote:
>
>> I want to accomplish something simple with iptables..
>> (I've used IPtables successfully without really understanding how to do
>> something from scratch -- I just followed "recipes")
>>
>> I want machine A to redirect port 80 to machine B.
>>
>> What's a way to do it?  (seems simple enough).
>>
>> I've tried a number of ways, and nothing seems to work...
>>
>> (the machine isn't a firewall)
>>
>> marty
>
> 152] How do I forward a port from the internet to the LAN? iptables -A 
> PREROUTING -i eth0 -t nat -p tcp --dport 22 -j DNAT --to 192.168.0.5:22
>
> Forward port 22 -> internally to host 192.168.0.5:22 for instance.
>
> .. and yes I did test this just now, it still works :)

OP did not give enough details. The above works if the machine is a 
"gateway" (if A is between the client and B).

if the client and B are on the same side of the gateway, B will respond 
directly to the client. and since there is no TCP triplet, this won't 
work (This is the "reflection" problem). If this is the case, OP must 
also NAT the client (source) IP address to force responses to get back 
via machine A.

Re: simple netfilter machine redirection

[bossk]

On Monday 17 March 2008 00:23:33 Marty Leisner wrote:
> I want to accomplish something simple with iptables..
> (I've used IPtables successfully without really understanding how to do
> something from scratch -- I just followed "recipes")
> 
> I want machine A to redirect port 80 to machine B.
> 
> What's a way to do it?  (seems simple enough).
> 
> I've tried a number of ways, and nothing seems to work...
> 
> (the machine isn't a firewall)

iptables -t nat -A PREROUTING -p TCP --dport 80 -j DNAT --to <IP of machine B>:<Port of machine B>

HTH,
bossk

-- 
bossk
System Administration
TynTec

Tel:    +49 231 47 790-469
Mob:    +49 172 83 68 751
Fax:    +49 231 10 87 992
Email:  bossk@tyntec.biz
http:   www.tyntec.biz
 
 
UK-Douglas:          |UK-London:           |Germany-Munich:   |Germany-Dortmund:
11 Hope Street       |                     |                  |
Douglas              |20 Eastcastle Street |Klenzestrasse 57b |Wittekindstrasse 105
IM1 1AQ              |London W1W 8DB       |80469 Muenchen    |44139 Dortmund
Isle of Man /UK      |UK                   |Germany           |Germany


For TynTec GmbH: TynTec GmbH, Dortmund, Geschäftsführer: Michael Kowalzik,
Thorsten Trapp, HRB Nr. 16438, Registergericht Dortmund

===================================================================================
This electronic mail transmission and any accompanying attachments
contain confidential information intended only for the use of the
individual or entity named above. Any dissemination, distribution,
copying or action taken in reliance on the contents of this
communication by anyone other than the intended recipient is strictly 
prohibited. If you have received this communication in error please   
immediately delete the E-mail and either notify the sender at
the above E-mail address. Thank you.
===================================================================================

Re: simple netfilter machine redirection

[Jan Engelhardt]

On Mar 16 2008 19:10, Marty Leisner wrote:
>
>Right, I don't want any NAT -- I just want it to act as a tcp port relayer
>(connection A-B is reflected on connection B-C)

Then set up routes.

simple netfilter machine redirection

[Marty Leisner]

I want to accomplish something simple with iptables..
(I've used IPtables successfully without really understanding how to do
something from scratch -- I just followed "recipes")

I want machine A to redirect port 80 to machine B.

What's a way to do it?  (seems simple enough).

I've tried a number of ways, and nothing seems to work...

(the machine isn't a firewall)

marty

Re: simple netfilter machine redirection

[Marty Leisner]

mouss <mouss@netoyen.net> writes  on Sun, 16 Mar 2008 23:36:50 +0100
     > Justin Piszcz wrote:
     > >
     > >
     > > On Sun, 16 Mar 2008, Marty Leisner wrote:
     > >
     > >> I want to accomplish something simple with iptables..
     > >> (I've used IPtables successfully without really understanding how to do
     > >> something from scratch -- I just followed "recipes")
     > >>
     > >> I want machine A to redirect port 80 to machine B.
     > >>
     > >> What's a way to do it?  (seems simple enough).
     > >>
     > >> I've tried a number of ways, and nothing seems to work...
     > >>
     > >> (the machine isn't a firewall)
     > >>
     > >> marty
     > >
     > > 152] How do I forward a port from the internet to the LAN? iptables -A 
     > > PREROUTING -i eth0 -t nat -p tcp --dport 22 -j DNAT --to 192.168.0.5:22
     > >
     > > Forward port 22 -> internally to host 192.168.0.5:22 for instance.
     > >
     > > .. and yes I did test this just now, it still works :)
     > 
     > OP did not give enough details. The above works if the machine is a 
     > "gateway" (if A is between the client and B).
     > 
     > if the client and B are on the same side of the gateway, B will respond 
     > directly to the client. and since there is no TCP triplet, this won't 
     > work (This is the "reflection" problem). If this is the case, OP must 
     > also NAT the client (source) IP address to force responses to get back 
     > via machine A.

Right, I don't want any NAT -- I just want it to act as a tcp port relayer
(connection A-B is reflected on connection B-C)

where

A is the source
B is the relay machine
C is the destination

and all machines are on the same lan.

marty

Re: simple netfilter machine redirection

[mouss]

Marty Leisner wrote:
> [snip]
>
> Right, I don't want any NAT -- I just want it to act as a tcp port relayer
> (connection A-B is reflected on connection B-C)
>
> where
>
> A is the source
> B is the relay machine
> C is the destination
>
> and all machines are on the same lan.
>
>   

As I said, you need to do both redirection (destination NAT) and source 
NAT. In this case, C will only see the IP of B (instead of A), so your 
logs (on C) will be somewhat incomplete/inaccurate. This is similar to 
running a proxy on B.

but as you see, this is circomvoluted and should be avoided if possible.

if you are trying to do this because the hostname of the C webserver 
points to A (happens when C is a webserver reachable from outside), then 
consider setting up an internal DNS (or at least an internal DNS view) 
so that A goes to C directly.

An alternative is to use routing (on A and C) as Jan said. The problem 
is that in this case all flow between A and C will go through B. Also, 
consider disabling ICMP redirects (which B would send to both A and C 
telling them they can reach each other directly) as appropriate.

Re: simple netfilter machine redirection

[Pascal Hambourg]

Hello,

Marty Leisner a écrit :
> 
> Right, I don't want any NAT -- I just want it to act as a tcp port relayer
> (connection A-B is reflected on connection B-C)

Then you don't want to use iptables but a TCP relay such as socat or 
6tunnel. However this can be done with iptables's NAT, as Mouss wrote.

Re: simple netfilter machine redirection

[Grant Taylor]

On 03/16/08 19:10, Marty Leisner wrote:
> Right, I don't want any NAT -- I just want it to act as a tcp port 
> relayer (connection A-B is reflected on connection B-C)
> 
> where
> 
> A is the source
> B is the relay machine
> C is the destination
> 
> and all machines are on the same lan.

First this is an idea, I have not tried this in practice yet.

This is also extremely nasty and crosses a lot of layers against (best) 
practices.

You could (in theory) alter the destination MAC address of packets that 
are coming in to machine B destined to machine B's IP on TCP port 80 
over to machine C's MAC address and put them back on the wire. 
Presuming that Machine C knows what to do with the machine B's IP 
address, it can respond with it's MAC address back to machine A with out 
breaking things.

Now considering how you are in a LAN environment (single broadcast 
domain) you will have to make sure that machine C will not respond to 
ARPs for machine B's IP address and thus ensuring that machine B does 
the responding.

In effect what you get is a traffic flow somewhat like this:

Machine A sends packet (from machine A MAC) to MAC-B:IP-B:TCP:port 80
Machine B receives packet and alters it.
Machine B sends packet (from machine A MAC) to MAC-C:IP-B:TCP:port 80
Machine C receives packet and processes it.
Machine C sends packet (from machine C MAC) to MAC-A:IP-B:TCP:<bla>
Machine A receives packet and processes it.

The problem that I see with this is that a switch in the middle is going 
to get confused (be continually learning) where the Machine A's MAC is. 
  First it will see it coming in from where Machine A is connected and 
then it will see it coming in from where Machine B is connected.

However it is entirely possible that you could have Machine B completely 
re-construct a new layer 2 packet and send to Machine C's MAC with its 
own MAC as the source.  But again you are really messing with the layer 
2 network here.

You may also want to look at how Linux Virtual Server does some of what 
it does.  You may be able to use some of what it does to accomplish what 
you are wanting.

With out completely breaking and re-writing the 802.2 rule set and all 
of its support you really should be looking at NAT and / or some sort of 
proxy / gateway program.



Grant. . . .