Forwarding packets over the same LAN

Forwarding packets over the same LAN

[Simion Onea]

Hi!

I'm trying to forward connections from one host to another over the same
LAN using "iptables".

Here's a description of my configuration:
The first host has the IP address 172.20.1.245
The second has the IP address 172.20.1.254 and has a mail server
listening on port 25/tcp.

I would like to write a set of "iptables" rules for the first host so
that any other host connecting to port 10025 on 172.20.1.245 would be
redirected to port 25 on 172.20.1.254.

For example:
- host 172.20.1.10 connects to 172.20.1.245:10025
- 172.20.1.245 transparently forwards the connection to 172.20.1.254
- 172.20.1.10 then actually "talks" to 172.20.1.254:25 without even
knowing it.

Regards,
Simion.

Re: Forwarding packets over the same LAN

[Thomas Jacob]

On Mon, 2009-07-13 at 17:00 +0300, Simion Onea wrote:
> Hi!
> 
> I'm trying to forward connections from one host to another over the same
> LAN using "iptables".
> 
> Here's a description of my configuration:
> The first host has the IP address 172.20.1.245
> The second has the IP address 172.20.1.254 and has a mail server
> listening on port 25/tcp.
> 
> I would like to write a set of "iptables" rules for the first host so
> that any other host connecting to port 10025 on 172.20.1.245 would be
> redirected to port 25 on 172.20.1.254.
> 
> For example:
> - host 172.20.1.10 connects to 172.20.1.245:10025
> - 172.20.1.245 transparently forwards the connection to 172.20.1.254
> - 172.20.1.10 then actually "talks" to 172.20.1.254:25 without even
> knowing it.

You need DNAT+SNAT for this:

# Redirect to IP:Port
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
	 -j DNAT --to-destination 172.20.1.254:25

# Ensure that the replies come back to us
iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
         -d 172.20.1.254  -j SNAT --to-source 172.20.1.245

Possibly you want to limit this even further by adding
"-s <Network-From-Which-To-Allow-Access> to both rules.

Re: Forwarding packets over the same LAN

[Simion Onea]

On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote:
> You need DNAT+SNAT for this:
> 
> # Redirect to IP:Port
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
> 	 -j DNAT --to-destination 172.20.1.254:25
> 
> # Ensure that the replies come back to us
> iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
>          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245

Hi Thomas!

I tried these rules but it seems that packets to not pass the first
rule. To test this I put two LOG targets before and after the PREROUTING
rule like this:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG
--log-tcp-options --log-prefix PREROUTING_before:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT
--to-destination 172.20.1.254:25
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
--log-tcp-options --log-prefix PREROUTING_after:
iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25
-j SNAT --to-source 172.20.1.245

As a result I received in the log three messages with
"PREROUTING_before" -- these were SYN packets. And no message with
"PREROUTING_after" :-(

What could be wrong ?

Regards,
Simion.

Re: Forwarding packets over the same LAN

[Mart Frauenlob]

Simion Onea wrote:
> On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote:
>   
>> You need DNAT+SNAT for this:
>>
>> # Redirect to IP:Port
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
>> 	 -j DNAT --to-destination 172.20.1.254:25
>>
>> # Ensure that the replies come back to us
>> iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
>>          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245
>>     
>
> Hi Thomas!
>
> I tried these rules but it seems that packets to not pass the first
> rule. To test this I put two LOG targets before and after the PREROUTING
> rule like this:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG
> --log-tcp-options --log-prefix PREROUTING_before:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT
> --to-destination 172.20.1.254:25
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
> --log-tcp-options --log-prefix PREROUTING_after:
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25
> -j SNAT --to-source 172.20.1.245
>
> As a result I received in the log three messages with
> "PREROUTING_before" -- these were SYN packets. And no message with
> "PREROUTING_after" :-(
>
> What could be wrong ?
>
> Regards,
> Simion.
>   
Remember for the POSTROUTING rule, the previously redirected packets 
come from the host:port, NOT go to the host again.
You need `-s xxx.xxx.xxx.xxx --sport xx' -j SNAT ....

Greets

Mart

Re: Forwarding packets over the same LAN

[Simion Onea]

On Tue, 2009-07-14 at 11:25 +0200, Mart Frauenlob wrote:
> Remember for the POSTROUTING rule, the previously redirected packets 
> come from the host:port, NOT go to the host again.
> You need `-s xxx.xxx.xxx.xxx --sport xx' -j SNAT ....

Hi Mart!

But this rule is for the packets leaving host 172.20.1.245 not for the
packets coming back from 172.20.1.254.
The first rule changes packets' destination address and port (DNAT) so
that they go to the other host. And the second rule changes packets'
source address (SNAT) so that the other host returns the packets back to
this host (172.20.1.245) not to the originating host from the LAN
(172.20.1.xxx).
When the packets return back from 172.20.1.254 to 172.20.1.245 the
kernel it is supposed to recognize that these packets were previously
DNAT-ed and SNAT-ed and to reverse back their source and destination
addresses and send them back to the originating host from the LAN
(172.20.1.xxx).
This is the way I understand the process.

Regards,
Simion.

Re: Forwarding packets over the same LAN

[Thomas Jacob]

On Tue, 2009-07-14 at 10:58 +0300, Simion Onea wrote:
> On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote:
> > You need DNAT+SNAT for this:
> > 
> > # Redirect to IP:Port
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
> > 	 -j DNAT --to-destination 172.20.1.254:25
> > 
> > # Ensure that the replies come back to us
> > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
> >          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245
> 
> Hi Thomas!
> 
> I tried these rules but it seems that packets to not pass the first
> rule. To test this I put two LOG targets before and after the PREROUTING
> rule like this:

Is eth0 your actual interface then? This was just an example to give you
the general idea, of course you need to adjust that to your case.

Maybe you could post the LOG output from the rules below here, so we can
see what's wrong


> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG
> --log-tcp-options --log-prefix PREROUTING_before:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT
> --to-destination 172.20.1.254:25
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
> --log-tcp-options --log-prefix PREROUTING_after:
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25
> -j SNAT --to-source 172.20.1.245
> 
> As a result I received in the log three messages with
> "PREROUTING_before" -- these were SYN packets. And no message with
> "PREROUTING_after" :-(
> 
> What could be wrong ?
> 
> Regards,
> Simion.
> 
> 

Re: Forwarding packets over the same LAN

[Thomas Jacob]

On Tue, 2009-07-14 at 11:25 +0200, Mart Frauenlob wrote:
> >   
> Remember for the POSTROUTING rule, the previously redirected packets 
> come from the host:port, NOT go to the host again.
> You need `-s xxx.xxx.xxx.xxx --sport xx' -j SNAT ....

DNAT rewrites the destination IP and Port, so in the POSTROUTING
table the TCP SYN packets should look like:

    <Orig-Src-IP, Orig-Src-Port, DNAT-Dst-IP, DNAT-Dst-Port>

right?

Re: Forwarding packets over the same LAN

[Mart Frauenlob]

Simion Onea wrote:
> On Tue, 2009-07-14 at 11:25 +0200, Mart Frauenlob wrote:
>   
>> Remember for the POSTROUTING rule, the previously redirected packets 
>> come from the host:port, NOT go to the host again.
>> You need `-s xxx.xxx.xxx.xxx --sport xx' -j SNAT ....
>>     
>
> Hi Mart!
>
> But this rule is for the packets leaving host 172.20.1.245 not for the
> packets coming back from 172.20.1.254.
> The first rule changes packets' destination address and port (DNAT) so
> that they go to the other host. And the second rule changes packets'
> source address (SNAT) so that the other host returns the packets back to
> this host (172.20.1.245) not to the originating host from the LAN
> (172.20.1.xxx).
> When the packets return back from 172.20.1.254 to 172.20.1.245 the
> kernel it is supposed to recognize that these packets were previously
> DNAT-ed and SNAT-ed and to reverse back their source and destination
> addresses and send them back to the originating host from the LAN
> (172.20.1.xxx).
> This is the way I understand the process.
>
> Regards,
> Simion.
>   
oops, sorry my bad :/

Re: Forwarding packets over the same LAN

[Simion Onea]

On Tue, 2009-07-14 at 14:27 +0200, Thomas Jacob wrote:
> Is eth0 your actual interface then? This was just an example to give you
> the general idea, of course you need to adjust that to your case.

Yes, certainly. The interface is eth0.

> Maybe you could post the LOG output from the rules below here, so we can
> see what's wrong

I tried to connect from a host with the address 172.20.2.40. 
Here are the log lines of 172.20.1.245:

Jul 14 10:48:46 pro kernel: PREROUTING_before:IN=eth0 OUT=
MAC=00:13:72:fc:1d:e5:00:13:21:e7:e8:00:08:00 SRC=172.20.2.40
DST=172.20.1.245 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4621 DF PROTO=TCP
SPT=1749 DPT=10025 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Jul 14 10:48:49 pro kernel: PREROUTING_before:IN=eth0 OUT=
MAC=00:13:72:fc:1d:e5:00:13:21:e7:e8:00:08:00 SRC=172.20.2.40
DST=172.20.1.245 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4624 DF PROTO=TCP
SPT=1749 DPT=10025 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405B401010402)
Jul 14 10:48:55 pro kernel: PREROUTING_before:IN=eth0 OUT=
MAC=00:13:72:fc:1d:e5:00:13:21:e7:e8:00:08:00 SRC=172.20.2.40
DST=172.20.1.245 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=4691 DF PROTO=TCP
SPT=1749 DPT=10025 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
(020405B401010402)

Regards,
Simion.

Re: Forwarding packets over the same LAN

[Pascal Hambourg]

Hello,

Simion Onea a écrit :
> 
> I tried these rules but it seems that packets to not pass the first
> rule. To test this I put two LOG targets before and after the PREROUTING
> rule like this:
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG
> --log-tcp-options --log-prefix PREROUTING_before:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT
> --to-destination 172.20.1.254:25
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
> --log-tcp-options --log-prefix PREROUTING_after:
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25
> -j SNAT --to-source 172.20.1.245
> 
> As a result I received in the log three messages with
> "PREROUTING_before" -- these were SYN packets. And no message with
> "PREROUTING_after" :-(
> 
> What could be wrong ?

man iptables
DNAT is a terminal target, so after a match the next rules in the chain 
are not examined.

Re: Forwarding packets over the same LAN

[Thomas Jacob]

On Tue, 2009-07-14 at 10:58 +0300, Simion Onea wrote:
> On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote:
> > You need DNAT+SNAT for this:
> > 
> > # Redirect to IP:Port
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
> > 	 -j DNAT --to-destination 172.20.1.254:25
> > 
> > # Ensure that the replies come back to us
> > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
> >          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245
> 
> Hi Thomas!
> 
> I tried these rules but it seems that packets to not pass the first
> rule. To test this I put two LOG targets before and after the PREROUTING
> rule like this:
> 
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j LOG
> --log-tcp-options --log-prefix PREROUTING_before:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 -j DNAT
> --to-destination 172.20.1.254:25
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j LOG
> --log-tcp-options --log-prefix PREROUTING_after:
> iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 172.20.1.254 --dport 25
> -j SNAT --to-source 172.20.1.245
> 
> As a result I received in the log three messages with
> "PREROUTING_before" -- these were SYN packets. And no message with
> "PREROUTING_after" :-(

Reading it again, of course you don't get that second message. That's
what happens when rule matches, the DNAT entry stops processing of the
packet in the PREROUTING chain. Your log also appears to contain the
right packets.

You need to switch on forwarding though, I guess that is what is
missing. Otherwise your system will just drop the packet after
the Prerouting changes.

i.e : echo 1 > /proc/sys/net/ipv4/ip_forward 

I've just tried these rules for myself again, and they work nicely.

Re: Forwarding packets over the same LAN

[Simion Onea]

2009/7/14 Pascal Hambourg <pascal.mail@plouf.fr.eu.org>:
> man iptables
> DNAT is a terminal target, so after a match the next rules in the chain are
> not examined.

Thanks for pointing that out. I didn't know about this.

Re: Forwarding packets over the same LAN

[Simion Onea]

2009/7/14 Thomas Jacob <jacob@internet24.de>:
> You need to switch on forwarding though, I guess that is what is
> missing. Otherwise your system will just drop the packet after
> the Prerouting changes.
>
> i.e : echo 1 > /proc/sys/net/ipv4/ip_forward
>
> I've just tried these rules for myself again, and they work nicely.

(sigh) forwarding is always on. It is enabled at boot time in /etc/sysctl.conf

Maybe I should examine more carefully the INPUT and FORWARD chains of
the filter table. They are configured to allow inbound traffic to port
10025 and to allow forwarding to port 25. Are there any other
requirements?

Is there any means to "debug" or to "see" how a packet traverses the
chains and tables?

Thanks!

Re: Forwarding packets over the same LAN

[Vincent Bernat]

OoO En ce  début de soirée du mardi 14 juillet  2009, vers 21:01, Simion
Onea <simionea@gmail.com> disait :

> Maybe I should examine more carefully the INPUT and FORWARD chains of
> the filter table. They are configured to allow inbound traffic to port
> 10025 and to allow forwarding to port 25. Are there any other
> requirements?

> Is there any means to "debug" or to "see" how a packet traverses the
> chains and tables?

With a recent enough kernel, you can use the TRACE target in the raw table.
-- 
I WILL NEVER WIN AN EMMY
I WILL NEVER WIN AN EMMY
I WILL NEVER WIN AN EMMY
-+- Bart Simpson on chalkboard in episode 9F21

Re: Forwarding packets over the same LAN

[Pascal Hambourg]

Simion Onea a écrit :
> 
> Maybe I should examine more carefully the INPUT and FORWARD chains of
> the filter table. They are configured to allow inbound traffic to port
> 10025 and to allow forwarding to port 25. Are there any other
> requirements?

The INPUT chain is only for local delivery, forwarded traffic does not 
go through it. So you do not need to accept inbound traffic to port 
10025 in the INPUT chain. You need to accept the return traffic in the 
FORWARD chain.

> Is there any means to "debug" or to "see" how a packet traverses the
> chains and tables?

If the TRACE target is not available, you can insert rules with the LOG 
target at the beginning of each table/chain. You can also use a packet 
sniffer such as tcpdump or wireshark to watch the traffic at each interface.

Re: Forwarding packets over the same LAN

[Simion Onea]

On Tue, 2009-07-14 at 14:27 +0200, Thomas Jacob wrote:
> > > You need DNAT+SNAT for this:
> > > 
> > > # Redirect to IP:Port
> > > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
> > > 	 -j DNAT --to-destination 172.20.1.254:25
> > > 
> > > # Ensure that the replies come back to us
> > > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
> > >          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245

Finally I managed to set it up correctly!
The problem was with another rule blocking forwarded traffic to port 25.
After I corrected the rules everything worked fine.

Thank you for your time and expertise!

Best regards,
Simion.

Re: Forwarding packets over the same LAN

[Simion Onea]

On Wed, 2009-07-15 at 09:32 +0200, Pascal Hambourg wrote:
> The INPUT chain is only for local delivery, forwarded traffic does not 
> go through it. So you do not need to accept inbound traffic to port 
> 10025 in the INPUT chain. You need to accept the return traffic in the 
> FORWARD chain.
> 
> If the TRACE target is not available, you can insert rules with the LOG 
> target at the beginning of each table/chain. You can also use a packet 
> sniffer such as tcpdump or wireshark to watch the traffic at each interface.

Hi Pascal!

I finally managed to set it up correctly. The problem was with another
rule blocking traffic to port 25.

Thank you!

Regards,
Simion.

Re: Forwarding packets over the same LAN

[Mike Williams]

On Wed, Jul 15, 2009 at 3:40 AM, Simion Onea<simionea@gmail.com> wrote:
> I finally managed to set it up correctly. The problem was with another
> rule blocking traffic to port 25.
>

Simon,

Hi there.  Would you mind posting the output of iptables-save?  After
reading about your battle with this it would be nice to see the
complete set of working rules.  Also, having the final solution in the
archives may help someone else.

Thanks,

Mike

Re: Forwarding packets over the same LAN

[Simion Onea]

On Wed, 2009-07-15 at 16:12 -0400, Mike Williams wrote:
> Simon,
> 
> Hi there.  Would you mind posting the output of iptables-save?  After
> reading about your battle with this it would be nice to see the
> complete set of working rules.  Also, having the final solution in the
> archives may help someone else.
> 
> Thanks,
> 
> Mike

Hi Mike!

Well, our set of iptables rules is rather large. It performs several
tasks like blocking access to some ports on the server, blocking access
to some hosts, performing NAT for other hosts, etc.
To be useful for the community, this set of rules would require a
detailed explanation which I am not prepared to give because our
company's policies do not allow me to do so.
But the solution to my problem were the couple of rules proposed by
Thomas Jacob:
> On Mon, 2009-07-13 at 16:14 +0200, Thomas Jacob wrote:
> > You need DNAT+SNAT for this:
> > 
> > # Redirect to IP:Port
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 10025 \
> >      -j DNAT --to-destination 172.20.1.254:25
> > 
> > # Ensure that the replies come back to us
> > iptables -t nat -A POSTROUTING -o eth0 -p tcp --dport 25 \
> >          -d 172.20.1.254  -j SNAT --to-source 172.20.1.245

These rules did the job, but there was another one that I didn't notice
at first. This rule was blocking traffic to port 25:

# iptables -A FORWARD -p tcp -s 172.20.1.245 -d 0/0 --dport 25 -j DROP

As soon as I removed this rule everything went fine.

Regards,
Simion.