Obtain original address from redirected connection

Obtain original address from redirected connection

[Pedro Werneck]

Hi


I have a daemon, a sort of proxy, written in Python, who receives
redirected connections with a rule like this:

iptables -t nat -A PREROUTING -j DNAT -p TCP -s source --to-destination host:port

The problem is that I need access to the original destination address,
but I could not find a way to do that when I wrote the daemon. Someone
suggested me using ULOG and parsing the address from ulogd logfile, and
this worked for some time, but now I have several simmultaneous
connections to the daemon and things get out of sync very easily when
reading the file.

Someone suggested using SO_ORIGINAL_DST. The constant is not available
in Python socket module, so I used the value 80, from iptables_ipv4.h
headers. The problem now is that the getsockopt() call doesn't work with
any values for 'level' parameter. First I tried 0 and 6, but they give
the errors 'Invalid Argument' and 'Protocol not available' respectively.
Just for testing I tried all other values from /etc/protocols and they
give 'Operation Not Supported'.


Is it possible to do this with SO_ORIGINAL_DST, or is there any other
approach for obtaining the original address ?


Thanks for any help

-- 
Pedro Werneck

Re: Obtain original address from redirected connection

[Petr Pisar]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pedro Werneck wrote:
> I have a daemon, a sort of proxy, written in Python, who receives
> redirected connections with a rule like this:
> 
> iptables -t nat -A PREROUTING -j DNAT -p TCP -s source --to-destination host:port
> 
> The problem is that I need access to the original destination address,
> but I could not find a way to do that when I wrote the daemon.
[...]
> Is it possible to do this with SO_ORIGINAL_DST, or is there any other
> approach for obtaining the original address ?
> 

SO_ORIGINAL_DST works only on local REDIRECT. If you do NAT and run
proxy on the same machine use REDIRECT instead. Otherwise you need an
silly side channel for delivering original address. (Maybe create IP
tunnel betwean NATing machine and proxy machine and then REDIRECT this
traffic on proxy machine.)

- -- Petr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEVv3zuR4f4nEwzHIRArLeAKCAKSVvmKaQCe/pE5HDeHFc/Vw0swCfdy9Q
t8czUPh+btwIf1dEGKlp9/M=
=TbTl
-----END PGP SIGNATURE-----

Re: Obtain original address from redirected connection

[Pascal Hambourg]

[Sorry for the late answer, I just subscribed to the list]

Hello,

Pedro Werneck wrote :
> 
> I have a daemon, a sort of proxy, written in Python, who receives
> redirected connections with a rule like this:
> 
> iptables -t nat -A PREROUTING -j DNAT -p TCP -s source --to-destination host:port
> 
> The problem is that I need access to the original destination address,

You can parse /proc/net/ip_conntrack on the NAT box, which contains the 
  list of the connections currently handled by conntrack/NAT. This is 
how Squid retrieves the original destination address when running in 
transparent mode.
Note : on "recent" kernels you need root privileges to read this file.