ip6tables REDIRECT support

ip6tables REDIRECT support

[Joao Pereira]

Hello,
I found a thread of last year with one announcement of the creation of
a patch to implement NAT on ipv6. I know that with IPv6 we are not
supposed to have NAT anymore but i have a problem that a need to solve
and the REDIRECT of iptables was the solution for it in IPv4.

The scenario is the following
I have one application running in machine A, and a server also in
machine A. I am sending one request from the application to the
server.
I need to make this request pass through another machine first and
only then land on the server.
I could do this by adding a redirect rule to redirect the traffic
using the port.

I found the patch on http://lwn.net/Articles/468671/
Was the patch applied in any version of iptables?

BR
-- 
-------

João Pereira

RE: ip6tables REDIRECT support

[Steve (Telsat Broadband)]

Hi João,

I too was requiring this for a server of ours; but not for the exact same
reason, ours was to implement a capture portal.

I did try to compile the patch you mentioned into ip6tables 1.4.10 but part
of the patch that I had a copy of was incomplete, further due to my limited
knowledge of the code netfilter is built on, I couldn't make a work-around.

I posted to this list some time back asking if only the REDIRECT component
of NAT would be implemented, perhaps not in a NAT table, but rather as a -j
target of the mangle table; just a suggestion; but I can't recall getting
any definitive responses.

The majority of the responses I did get suggested to use TPROXY instead of
redirect, but in my particular case, that didn't work properly and seemed to
have much more overhead than the redirect target.

Hopefully someone out there in the dev team will understand our plight and
perhaps incorporate this important target.

Cheers.
Steve. 


Steve Noorderbroek
C.T.O.
Telsat Broadband Limited
www.telsatbb.vu


-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Joao Pereira
Sent: Thursday, 27 September 2012 11:18 PM
To: netfilter@vger.kernel.org
Subject: ip6tables REDIRECT support

Hello,
I found a thread of last year with one announcement of the creation of a
patch to implement NAT on ipv6. I know that with IPv6 we are not supposed to
have NAT anymore but i have a problem that a need to solve and the REDIRECT
of iptables was the solution for it in IPv4.

The scenario is the following
I have one application running in machine A, and a server also in machine A.
I am sending one request from the application to the server.
I need to make this request pass through another machine first and only then
land on the server.
I could do this by adding a redirect rule to redirect the traffic using the
port.

I found the patch on http://lwn.net/Articles/468671/ Was the patch applied
in any version of iptables?

BR
--
-------

João Pereira
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the
body of a message to majordomo@vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html

RE: ip6tables REDIRECT support

[Jan Engelhardt]

On Thursday 2012-09-27 19:21, Steve (Telsat Broadband) wrote:
>
>The majority of the responses I did get suggested to use TPROXY instead of
>redirect, but in my particular case, that didn't work properly and seemed to
>have much more overhead than the redirect target.
>
>Hopefully someone out there in the dev team will understand our plight and
>perhaps incorporate this important target.

But you're writing to the non-developer list currently.. :)

Re: ip6tables REDIRECT support

[Eliezer Croitoru]

On 9/27/2012 7:21 PM, Steve (Telsat Broadband) wrote:
> The majority of the responses I did get suggested to use TPROXY instead of
> redirect, but in my particular case, that didn't work properly and seemed to
> have much more overhead than the redirect target.
>
What didnt worked?
If you need a captive portal there is a very simple way to do it.
What exactly do you use now?

Eliezer
> Hopefully someone out there in the dev team will understand our plight and
> perhaps incorporate this important target.
>
> Cheers.
> Steve.


-- 
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il

RE: ip6tables REDIRECT support

[Steve (Telsat Broadband)]

Hi Eliezer,

We use our own custom server.  The server listens for connections on all
ports for both TCP & UDP and forwards any unauthenticated connections to two
separate services running on the same machine.  The problem with TPROXY was
that despite it being configured exactly as we've configured it in the past
when we used a squid proxy, the data packets never hit the services on the
server which were supposed to handle them.

The redirect target worked perfectly for this situation, simply capturing
any packets on dport 1-65535 and redirecting it to port xxx on the same
machine.  Simply shifting port X to port Y without any other modifications.

Cheers.
Steve.


Steve Noorderbroek
C.T.O.
Telsat Broadband Limited
www.telsatbb.vu


-----Original Message-----
From: netfilter-owner@vger.kernel.org
[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Eliezer Croitoru
Sent: Saturday, 29 September 2012 5:18 AM
To: Steve (Telsat Broadband)
Cc: 'Joao Pereira'; netfilter@vger.kernel.org
Subject: Re: ip6tables REDIRECT support

On 9/27/2012 7:21 PM, Steve (Telsat Broadband) wrote:
> The majority of the responses I did get suggested to use TPROXY 
> instead of redirect, but in my particular case, that didn't work 
> properly and seemed to have much more overhead than the redirect target.
>
What didnt worked?
If you need a captive portal there is a very simple way to do it.
What exactly do you use now?

Eliezer
> Hopefully someone out there in the dev team will understand our plight 
> and perhaps incorporate this important target.
>
> Cheers.
> Steve.


--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations eliezer <at> ngtech.co.il
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the
body of a message to majordomo@vger.kernel.org More majordomo info at
http://vger.kernel.org/majordomo-info.html

Re: ip6tables REDIRECT support

[Eliezer Croitoru]

On 9/28/2012 10:22 PM, Steve (Telsat Broadband) wrote:
> Hi Eliezer,
>
> We use our own custom server.  The server listens for connections on all
> ports for both TCP & UDP and forwards any unauthenticated connections to two
> separate services running on the same machine.  The problem with TPROXY was
> that despite it being configured exactly as we've configured it in the past
> when we used a squid proxy, the data packets never hit the services on the
> server which were supposed to handle them.
>
So I ask, Why if it worked with squid it's not working with your server?
the only answer I can think of is that you didn't used the right 
configurations on the server to work with tproxy.
it requires special socket options that are not similar to any regular ones.

Works for me with tproxy and does what I need.

Eliezer
> The redirect target worked perfectly for this situation, simply capturing
> any packets on dport 1-65535 and redirecting it to port xxx on the same
> machine.  Simply shifting port X to port Y without any other modifications.
>
> Cheers.
> Steve.
>
>
> Steve Noorderbroek
> C.T.O.
> Telsat Broadband Limited
> www.telsatbb.vu
<SNIP>