nat:REDIRECT on localhost not working in Kernel 2.6

nat:REDIRECT on localhost not working in Kernel 2.6

[Stephan Uhlmann]

[-- Attachment #1: Type: text/plain, Size: 1235 bytes --]

Hello netfilter friends,

I want to redirect all connections going to port 80 of a host to port 8080 of 
the same host. Of course I do it with the REDIRECT target:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080

The redirection of externally incoming connections via PREROUTING  works 
perfectly fine.

But I have the problem that locally generated connections are not redirected 
on machines with Linux Kernel 2.6 but on machines with Linux Kernel 2.4.

I tested:
SuSE Linux 9.0 (Kernel 2.4.21, iptables v1.2.8)  - works
SuSE Linux 9.1 (Kernel 2.6.5,  iptables v1.2.9)  - does not work
SuSE Linux 9.2 (Kernel 2.6.8,  iptables v1.2.11) - does not work
Gentoo Linux   (Kernel 2.6.9,  iptables v1.2.11) - does not work

"iptables -t nat -L -v" shows that no packet at all was catched by the OUTPUT 
chain. Instead it seems to go to the POSTROUTING chain. But the REDIRECT 
target can't be used in the POSTROUTING chain.

Is this a bug? Is this a feature? Did something change between Kernel 2.4 and 
2.6 in this regard?

I looked through the ChangeLogs and other docs but didn't find any hint.


Stephan

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Jason Opperisano]

On Fri, Nov 19, 2004 at 06:36:02PM +0100, Stephan Uhlmann wrote:
> Hello netfilter friends,
> 
> I want to redirect all connections going to port 80 of a host to port 8080 of 
> the same host. Of course I do it with the REDIRECT target:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
> 
> The redirection of externally incoming connections via PREROUTING  works 
> perfectly fine.
> 
> But I have the problem that locally generated connections are not redirected 
> on machines with Linux Kernel 2.6 but on machines with Linux Kernel 2.4.
> 
> I tested:
> SuSE Linux 9.0 (Kernel 2.4.21, iptables v1.2.8)  - works
> SuSE Linux 9.1 (Kernel 2.6.5,  iptables v1.2.9)  - does not work
> SuSE Linux 9.2 (Kernel 2.6.8,  iptables v1.2.11) - does not work
> Gentoo Linux   (Kernel 2.6.9,  iptables v1.2.11) - does not work
> 
> "iptables -t nat -L -v" shows that no packet at all was catched by the OUTPUT 
> chain. Instead it seems to go to the POSTROUTING chain. But the REDIRECT 
> target can't be used in the POSTROUTING chain.
> 
> Is this a bug? Is this a feature? Did something change between Kernel 2.4 and 
> 2.6 in this regard?
> 
> I looked through the ChangeLogs and other docs but didn't find any hint.

are all kernels in question compiled with:  IP_NF_NAT_LOCAL

-j

--
"Man, you go through life, you try to be nice to people, you struggle
 to resist the urge to punch 'em in the face, and for what?"
        --The Simpsons

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Jason Opperisano]

On Fri, Nov 19, 2004 at 11:55:21AM -0600, Josh Nerius wrote:
> I'll second what Jason said here.
> 
> I've had the same issue in the past and resolved it by enabling option
> Jason mentioned.
> 
> This can also be found in menuconfig here:
> 
> Device Drivers >> Networking Support >> Networking Options >> Network
> packet filtering >> IP: Netfilter Configuration >> [   ] Nat of local
> connections.

i just booted up a SuSE 9.2 machine (kernel 2.6.8-24), and it does not
have IP_NF_NAT_LOCAL set in its config.

-j

--
"When will I learn? The answer to life's problems aren't at the bottom
 of a bottle, they're on TV!"
        --The Simpsons

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Josh Nerius]

I'll second what Jason said here.

I've had the same issue in the past and resolved it by enabling option
Jason mentioned.

This can also be found in menuconfig here:

Device Drivers >> Networking Support >> Networking Options >> Network
packet filtering >> IP: Netfilter Configuration >> [   ] Nat of local
connections.

Josh Nerius


On Fri, 19 Nov 2004 12:41:00 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Fri, Nov 19, 2004 at 06:36:02PM +0100, Stephan Uhlmann wrote:
> 
> 
> > Hello netfilter friends,
> >
> > I want to redirect all connections going to port 80 of a host to port 8080 of
> > the same host. Of course I do it with the REDIRECT target:
> >
> > iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
> > iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
> >
> > The redirection of externally incoming connections via PREROUTING  works
> > perfectly fine.
> >
> > But I have the problem that locally generated connections are not redirected
> > on machines with Linux Kernel 2.6 but on machines with Linux Kernel 2.4.
> >
> > I tested:
> > SuSE Linux 9.0 (Kernel 2.4.21, iptables v1.2.8)  - works
> > SuSE Linux 9.1 (Kernel 2.6.5,  iptables v1.2.9)  - does not work
> > SuSE Linux 9.2 (Kernel 2.6.8,  iptables v1.2.11) - does not work
> > Gentoo Linux   (Kernel 2.6.9,  iptables v1.2.11) - does not work
> >
> > "iptables -t nat -L -v" shows that no packet at all was catched by the OUTPUT
> > chain. Instead it seems to go to the POSTROUTING chain. But the REDIRECT
> > target can't be used in the POSTROUTING chain.
> >
> > Is this a bug? Is this a feature? Did something change between Kernel 2.4 and
> > 2.6 in this regard?
> >
> > I looked through the ChangeLogs and other docs but didn't find any hint.
> 
> are all kernels in question compiled with:  IP_NF_NAT_LOCAL
> 
> -j
> 
> --
> "Man, you go through life, you try to be nice to people, you struggle
>  to resist the urge to punch 'em in the face, and for what?"
>         --The Simpsons
> 
> 


-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Stephan Uhlmann]

[-- Attachment #1: Type: text/plain, Size: 510 bytes --]

On Friday 19 November 2004 18:41, Jason Opperisano wrote:
> are all kernels in question compiled with:  IP_NF_NAT_LOCAL

No, all kernels I tested have that option not set. They are default kernels 
from the distributions and that option seems not to be enabled by default.

Strangely the option is also not set on the kernel 2.4 machine where the 
redirect worked.

Anyway I guess the problem will go away if I set this option. Thank you for 
the hint and your quick response!


Cheers,
Stephan

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Askar]

I have the same issue, even though I confirmed that "Device Drivers >>
Networking Support >> Networking Options >> Network
packet filtering >> IP: Netfilter Configuration >> [   ] Nat of local"
has been statically compiled into the kernel (kernel v. 2.6.9 distro
slackware 10, iptables v1.2.11)

I'm running squid on the same box with iptables/gatway and sometime
use this box even for browsing that why I want to redirect the
localhsot traffic to squid.

I tried with setting OUPUT policy to default ACCEPT with no luck.





On Fri, 19 Nov 2004 19:03:41 +0100, Stephan Uhlmann <su@su2.info> wrote:
> On Friday 19 November 2004 18:41, Jason Opperisano wrote:
> > are all kernels in question compiled with:  IP_NF_NAT_LOCAL
> 
> No, all kernels I tested have that option not set. They are default kernels
> from the distributions and that option seems not to be enabled by default.
> 
> Strangely the option is also not set on the kernel 2.4 machine where the
> redirect worked.
> 
> Anyway I guess the problem will go away if I set this option. Thank you for
> the hint and your quick response!
> 
> Cheers,
> Stephan
> 
> 
> 


-- 
(after bouncing head on desk for days trying to get mine working, I'll make
your life a little easier)

Re: nat:REDIRECT on localhost not working in Kernel 2.6

[Stephan Uhlmann]

[-- Attachment #1: Type: text/plain, Size: 178 bytes --]


Just for the archive and to confirm: I tested it now with self-compiled kernel 
2.6.9 (on SuSE 9.2, default iptables 1.2.11) and it worked.

Thanks everybody!


Stephan

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]