Send local traffic to a different server.

Send local traffic to a different server.

[Brett Simpson]

I've tried a number of different PREROUTING and POSTROUTING rules and can't seem to make this work.

I have a system with a single nic (eth0). While I'm on the system via a shell I would like to connect to 127.0.0.1:6000 and get seemlessly translated to 207.156.7.15:80.

I tried the following without success:

iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000 -j DNAT--to-destination 207.156.7.15:80
iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80 -j SNAT --to-source 127.0.0.1

Re: Send local traffic to a different server.

[Antony Stone]

On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:

> I've tried a number of different PREROUTING and POSTROUTING rules and can't
> seem to make this work.
>
> I have a system with a single nic (eth0). While I'm on the system via a
> shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> translated to 207.156.7.15:80.
>
> I tried the following without success:
>
> iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000 -j
> DNAT--to-destination 207.156.7.15:80
>
> iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80 -j
> SNAT --to-source 127.0.0.1

Try:

iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to 
207.156.7.15:80

Regards,

Antony.

-- 
The words "e pluribus unum" on the Great Seal of the United States are from a 
poem by Virgil entitled "Moretum", which is about cheese and garlic salad 
dressing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 09:33, Antony Stone wrote:
> On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> 
> > I've tried a number of different PREROUTING and POSTROUTING rules and can't
> > seem to make this work.
> >
> > I have a system with a single nic (eth0). While I'm on the system via a
> > shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> > translated to 207.156.7.15:80.
> >
> > I tried the following without success:
> >
> > iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000 -j
> > DNAT--to-destination 207.156.7.15:80
> >
> > iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80 -j
> > SNAT --to-source 127.0.0.1
> 
> Try:
> 
> iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to 
> 207.156.7.15:80

Didn't work. Would the INPUT chain help?

iptables -t nat -A OUTPUT -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
207.156.7.15:80    
iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80
-j SNAT --to-source 127.0.0.1

Re: Send local traffic to a different server.

[Antony Stone]

On Wednesday 23 June 2004 3:33 pm, Brett Simpson wrote:

> On Wed, 2004-06-23 at 09:33, Antony Stone wrote:
> > On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> > > I've tried a number of different PREROUTING and POSTROUTING rules and
> > > can't seem to make this work.
> > >
> > > I have a system with a single nic (eth0). While I'm on the system via a
> > > shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> > > translated to 207.156.7.15:80.
> > >
> > > I tried the following without success:
> > >
> > > iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000
> > > -j DNAT--to-destination 207.156.7.15:80
> > >
> > > iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport
> > > 80 -j SNAT --to-source 127.0.0.1
> >
> > Try:
> >
> > iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
> > 207.156.7.15:80
>
> Didn't work. Would the INPUT chain help?

No, I don't think so.   INPUT is only for the reply packets.   I'm assuming 
you're allowing those back in to your machine (!?), so the problem is getting 
the outbound packets to the right destination with the right return address.

> iptables -t nat -A OUTPUT -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
> 207.156.7.15:80
> iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80
> -j SNAT --to-source 127.0.0.1

Duh :)   I forgot about the reply address :)

My rule will send packets to 207.156.7.15 with a source address of 127.0.0.1

Not surprisingly, you don't get anything back...

Try:

iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to 
207.156.7.15:80
iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s 127.0.0.1 
-j SNAT --to a.b.c.d

Where a.b.c.d is the routable address of your machine, to which reply packets 
can successfully return.

Regards,

Antony.

-- 
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 10:00, Antony Stone wrote:
> On Wednesday 23 June 2004 3:33 pm, Brett Simpson wrote:
> 
> > On Wed, 2004-06-23 at 09:33, Antony Stone wrote:
> > > On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> > > > I've tried a number of different PREROUTING and POSTROUTING rules and
> > > > can't seem to make this work.
> > > >
> > > > I have a system with a single nic (eth0). While I'm on the system via a
> > > > shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> > > > translated to 207.156.7.15:80.
> > > >
> My rule will send packets to 207.156.7.15 with a source address of 127.0.0.1
> 
> Not surprisingly, you don't get anything back...
> 
> Try:
> 
> iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to 
> 207.156.7.15:80
> iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s 127.0.0.1 
> -j SNAT --to a.b.c.d
> 
> Where a.b.c.d is the routable address of your machine, to which reply packets 
> can successfully return.

Still no go. My machine is 172.27.228.145. I'm using lynx for the
browser on my machine.

iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
207.156.7.15:80
iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s
127.0.0.1 -j SNAT --to 172.27.228.145

Thanks,
Brett

Re: Send local traffic to a different server.

[Antony Stone]

On Wednesday 23 June 2004 4:12 pm, Brett Simpson wrote:

> On Wed, 2004-06-23 at 10:00, Antony Stone wrote:
> > On Wednesday 23 June 2004 3:33 pm, Brett Simpson wrote:
> > > On Wed, 2004-06-23 at 09:33, Antony Stone wrote:
> > > > On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> > > > > I've tried a number of different PREROUTING and POSTROUTING rules
> > > > > and can't seem to make this work.
> > > > >
> > > > > I have a system with a single nic (eth0). While I'm on the system
> > > > > via a shell I would like to connect to 127.0.0.1:6000 and get
> > > > > seemlessly translated to 207.156.7.15:80.
> >
> > My rule will send packets to 207.156.7.15 with a source address of
> > 127.0.0.1
> >
> > Not surprisingly, you don't get anything back...
> >
> > Try:
> >
> > iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
> > 207.156.7.15:80
> > iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s
> > 127.0.0.1 -j SNAT --to a.b.c.d
> >
> > Where a.b.c.d is the routable address of your machine, to which reply
> > packets can successfully return.
>
> Still no go. My machine is 172.27.228.145. I'm using lynx for the
> browser on my machine.

That's not a routable address.

How are packets from the machine we are talking about routed to and from the 
Internet?   Where is NAT taking place?

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 10:24, Antony Stone wrote:
> > Still no go. My machine is 172.27.228.145. I'm using lynx for the
> > browser on my machine.
> 
> That's not a routable address.
> 
> How are packets from the machine we are talking about routed to and from the 
> Internet?   Where is NAT taking place?

Oops. I meant to use 207.156.7.115 instead of 207.156.7.15. Typo. :-)

The machine has a default gateway set to a cisco router (172.27.228.1).
It routes to firewall and out to the internet. Other than that I have no
other routes in place but I can access port 80 on 207.156.7.115.

[root@simpsonb proxy-2.2.4]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
172.16.225.0    0.0.0.0         255.255.255.0   U     0      0        0
vmnet8
172.16.76.0     0.0.0.0         255.255.255.0   U     0      0        0
vmnet1
172.27.228.0    0.0.0.0         255.255.255.0   U     0      0        0
eth0
172.27.0.0      0.0.0.0         255.255.0.0     U     0      0        0
eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0
eth0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
lo
0.0.0.0         172.27.228.1    0.0.0.0         UG    0      0        0
eth0
[root@simpsonb proxy-2.2.4]#


Browser
172.27.228.145
	|
	|
Default GW
172.27.228.1 Router A
	|
	|
172.16.3.119 Router B
	|
	|
172.16.21.102
Firewall
207.156.7.1
	|
	|
207.156.7.115
Web server

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 10:24, Antony Stone wrote:

> How are packets from the machine we are talking about routed to and from the 
> Internet?   Where is NAT taking place?

I got it working! Actually I was testing on Redhat Enterprise Linux ES 3
(RHEL) with no success so I went to Gentoo and was able to get it to
work with the following...

iptables -t nat -A OUTPUT -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
207.156.7.115:80
iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.115 -o eth0 --dport
80 -j SNAT --to-source 172.27.228.220

I suspect that RHEL doesn't have 'NAT of local connections' compiled
into the kernel.

Thanks for everyone help, 
Brett

Re: Send local traffic to a different server.

[John A. Sullivan III]

On Wed, 2004-06-23 at 10:08, Brett Simpson wrote:
> I've tried a number of different PREROUTING and POSTROUTING rules and can't seem to make this work.
> 
> I have a system with a single nic (eth0). While I'm on the system via a shell I would like to connect to 127.0.0.1:6000 and get seemlessly translated to 207.156.7.15:80.
> 
> I tried the following without success:
> 
> iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000 -j DNAT--to-destination 207.156.7.15:80
> iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80 -j SNAT --to-source 127.0.0.1
Hmmm .  . . not sure, never tried it.  What happens if you move your
first rule to -t nat OUTPUT instead of -t nat PREROUTING?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Send local traffic to a different server.

[Antony Stone]

On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:

> I've tried a number of different PREROUTING and POSTROUTING rules and can't
> seem to make this work.
>
> I have a system with a single nic (eth0). While I'm on the system via a
> shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> translated to 207.156.7.15:80.

I might as well just check something rather obvious:

Can you access 207.156.7.15:80 from the machine we are talking about?

ie: assuming we get the NAT to work the way you want, do the packets get to 
the remote server and the replies back again okay?

Antony.

-- 
If you can't find an Open Source solution for it, then it isn't a real 
problem.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 10:58, Antony Stone wrote:
> On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> 
> > I've tried a number of different PREROUTING and POSTROUTING rules and can't
> > seem to make this work.
> >
> > I have a system with a single nic (eth0). While I'm on the system via a
> > shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> > translated to 207.156.7.15:80.
> 
> I might as well just check something rather obvious:
> 
> Can you access 207.156.7.15:80 from the machine we are talking about?

Yes.

> ie: assuming we get the NAT to work the way you want, do the packets get to 
> the remote server and the replies back again okay?

Re: Send local traffic to a different server.

[B. McAninch]

Check that you have Netfilter kernel support for 'NAT of local
connections' (this may or may not help).


On Wed, 2004-06-23 at 09:08, Brett Simpson wrote:
> I've tried a number of different PREROUTING and POSTROUTING rules and can't seem to make this work.
> 
> I have a system with a single nic (eth0). While I'm on the system via a shell I would like to connect to 127.0.0.1:6000 and get seemlessly translated to 207.156.7.15:80.
> 
> I tried the following without success:
> 
> iptables -t nat -A PREROUTING  -p tcp -d 127.0.0.1   -i lo --dport 6000 -j DNAT--to-destination 207.156.7.15:80
> iptables -t nat -A POSTROUTING -p tcp -d 207.156.7.15 -o eth0 --dport 80 -j SNAT --to-source 127.0.0.1

-- 
Bryan McAninch

Network Security Engineer

Penson Financial Services, Inc.

214.765.1366

Re: Send local traffic to a different server.

[Brett Simpson]

On Wed, 2004-06-23 at 11:39, B. McAninch wrote:
> Check that you have Netfilter kernel support for 'NAT of local
> connections' (this may or may not help).

The source shows it's enabled. But since the binary Redhat kernel RPM
doesn't always match what's in /usr/src/linux-2.4 do you know of another
way I can check if it's enabled?

[*]     NAT of local connections (READ HELP)  

Thanks,
Brett

RE: Send local traffic to a different server.

[Aldo Lagana]

am i wrong or can you not send traffic to another server simply with netfilter/iptables rules?  Does not that require iproute2?  In other words don't all of the rules assume that the NAT addresses are bound to local interfaces? 

aldo

-----Original Message-----
From: Brett Simpson [mailto:simpsonb@hillsboroughcounty.org]
Sent: Wednesday, June 23, 2004 11:12 AM
To: netfilter@lists.netfilter.org
Subject: Re: Send local traffic to a different server.


On Wed, 2004-06-23 at 10:00, Antony Stone wrote:
> On Wednesday 23 June 2004 3:33 pm, Brett Simpson wrote:
> 
> > On Wed, 2004-06-23 at 09:33, Antony Stone wrote:
> > > On Wednesday 23 June 2004 3:08 pm, Brett Simpson wrote:
> > > > I've tried a number of different PREROUTING and POSTROUTING rules and
> > > > can't seem to make this work.
> > > >
> > > > I have a system with a single nic (eth0). While I'm on the system via a
> > > > shell I would like to connect to 127.0.0.1:6000 and get seemlessly
> > > > translated to 207.156.7.15:80.
> > > >
> My rule will send packets to 207.156.7.15 with a source address of 127.0.0.1
> 
> Not surprisingly, you don't get anything back...
> 
> Try:
> 
> iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to 
> 207.156.7.15:80
> iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s 127.0.0.1 
> -j SNAT --to a.b.c.d
> 
> Where a.b.c.d is the routable address of your machine, to which reply packets 
> can successfully return.

Still no go. My machine is 172.27.228.145. I'm using lynx for the
browser on my machine.

iptables -A OUTPUT -t nat -p tcp --dport 6000 -d 127.0.0.1 -j DNAT --to
207.156.7.15:80
iptables -A POSTROUTING -t nat -p tcp --dport 80 -d 207.156.7.15 -s
127.0.0.1 -j SNAT --to 172.27.228.145

Thanks,
Brett

Re: Send local traffic to a different server.

[Antony Stone]

On Wednesday 23 June 2004 4:26 pm, Aldo Lagana wrote:

> am i wrong or can you not send traffic to another server simply with
> netfilter/iptables rules?  Does not that require iproute2?  In other words
> don't all of the rules assume that the NAT addresses are bound to local
> interfaces?

No, you can use any address you like in nat rules (both SNAT and DNAT).

Whether or not it makes sense is another matter (eg: do the packets get routed 
back through the machine and get reverse-natted?), however netfilter will 
allow you to specify whatever you like.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.