IPTables routing

IPTables routing

[mailinglist]

I have a question, I would like to know the best way to do something with
IPTables.

I have a network which has a gateway wwith iptables on it.  I want
iptables to send all data bound for a external server (Ex. server.com or
20.20.20.20) to a third server (server_mirror.com).  So iptables needs to
rewrite the header on every packet bound for the intended server
(server.com) so that the packets get routed to the third server
(server_mirror.com).  Also, the third server and person making the request
are making a socket connection that sends data two ways.

--Can I do this with iptables? And if so, how?

--Also, will I have problems with the server responding? And if so, how do
I fix that?

Thanks a lot for any help.  It is greatly appreciated!

Chris

Re: IPTables routing

[Antony Stone]

On Friday 28 November 2003 6:32 pm, mailinglist@plobe.com wrote:

> I have a question, I would like to know the best way to do something with
> IPTables.
>
> I have a network which has a gateway wwith iptables on it.  I want
> iptables to send all data bound for a external server (Ex. server.com or
> 20.20.20.20) to a third server (server_mirror.com).  So iptables needs to
> rewrite the header on every packet bound for the intended server
> (server.com) so that the packets get routed to the third server
> (server_mirror.com).  Also, the third server and person making the request
> are making a socket connection that sends data two ways.
>
> --Can I do this with iptables? And if so, how?

iptables -A PREROUTING -t nat -d 20.20.20.20 -j DNAT --to 30.30.30.30

(Plus whatever FORWARD rule/s you need to allow the right sort of packets to 
get to 30.30.30.30)

(assuming the packets were originally going to 20.20.20.20 and instead you 
want them to go to 30.30.30.30).

> --Also, will I have problems with the server responding? And if so, how do
> I fix that?

So long as client and server are on opposite sides of the netfilter machine 
(ie packets going in both directions will go through the netfilter box), then 
the reverse translation is handled automagically for you.

If the client and the server are not on opposite sides of the netfilter box 
then things get very messy.

Antony.

-- 
There are only 10 types of people in the world:
those who understand binary notation,
and those who don't.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPTables routing

[Ralf Spenneberg]

Am Fre, 2003-11-28 um 19.32 schrieb mailinglist@plobe.com:
> I have a network which has a gateway wwith iptables on it.  I want
> iptables to send all data bound for a external server (Ex. server.com or
> 20.20.20.20) to a third server (server_mirror.com).  So iptables needs to
> rewrite the header on every packet bound for the intended server
> (server.com) so that the packets get routed to the third server
> (server_mirror.com).
This is easy. You just do DNAT in PREROUTING.

>   Also, the third server and person making the request
> are making a socket connection that sends data two ways.
Is this an additional connection? Which end will initiate the
connection? If it is the client(person) and you know the used ports, it
is easy (see above).
If you do not know the ports and the client initiates the connection, it
is easy but somehow unsafe.
If the server initiates the connection it becomes even more unsafe.
If you do not know the server (any server on the internet) it is
completely unsafe unless you write a conntrack_helper module for
iptables (C-hacking).

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: VPN mit Linux
Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org