Passed chains from local process to local ip

Passed chains from local process to local ip

[andilist]

Hello,
which chains are passed from packets, generated from a local process with a
local ip as destination(not 127.0.0.1, but ip-address of a local network
interface).

Is it OUTPUT -> POSTROUTING -> PREROUTING -> INPUT, or is it directly?

my network interface has 5 ip-adresses. If have 2 daemons (say A and B)
running on 2 different local ip-Addresses (ip-A and IP-B) on the same port.
It's not possible to run a deamon on 2 or more addresses. so i need to
forward ip-c, ip-d and ip-e to ip-a.

ip-a -> A
ip-b -> B
ip-c -> ip->a -> A
ip-d -> ip->a -> A
ip-e -> ip->a -> A

it works allready from packets from remote hosts (with dnat and prerouting),
but not from local packets. to use dnat for local packets in the output
chain i read that i must update the kernel and install a new version of
iptables. but i am not sure, if this will work, because the packets are for
a local ip-address and not for a remote destination.

Thanks for your help,
Andreas



-- 
+++ GMX DSL-Tarife 3 Monate gratis* +++ Nur bis 25.7.2004 +++
Bis 24.000 MB oder 300 Freistunden inkl. http://www.gmx.net/de/go/dsl

Re: Passed chains from local process to local ip

[Cedric Blancher]

Le lun 26/07/2004 à 08:27, andilist@gmx.de a écrit :
> my network interface has 5 ip-adresses. If have 2 daemons (say A and B)
> running on 2 different local ip-Addresses (ip-A and IP-B) on the same port.

OK.

> It's not possible to run a deamon on 2 or more addresses.

Yes it is. Maybe you're meaning your particular daemon is not capable of
running one specific interfaces, but I can show you Apache servers that
runs on 2 out of 4 interfaces, not counting virtual hosts stuff, BIND
that runs the same way, etc...

> so i need to forward ip-c, ip-d and ip-e to ip-a.

So be it.

> ip-a -> A
> ip-b -> B
> ip-c -> ip->a -> A
> ip-d -> ip->a -> A
> ip-e -> ip->a -> A

Do you mean ip-c -> ip-a -> A ?

> it works allready from packets from remote hosts (with dnat and prerouting),

OK.
/
> but not from local packets. to use dnat for local packets in the output
> chain i read that i must update the kernel and install a new version of
> iptables.

To use DNAT on OUTPUT, you have to build your kernel with "NAT of local
connections" options, and no particular iptables configuration except
using a version prior or equal to 1.2.6a which is now quite old (out
there since 17/03/2002).

Anyway, I must admit I have some difficulties to understand your context
and the particular reason why A cannot listen on ip-a, ip-c, ip-d and
ip-e. The fact is locally generated packets NAT works. I use it all the
time for SSH redirections, but I never tried it on locally destined
traffic. The more I can say is try and see for yourself, but I guess it
will work (don't forget local traffic is bound to lo interface, whatever
local addresses it uses as source or destination).


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Passed chains from local process to local ip

[Andreas Sachs]

Hello,
Thanks, for your answer.

> Anyway, I must admit I have some difficulties to understand your context
> and the particular reason why A cannot listen on ip-a, ip-c, ip-d and
> ip-e. The fact is locally generated packets NAT works. I use it all the
> time for SSH redirections, but I never tried it on locally destined
> traffic. The more I can say is try and see for yourself, but I guess it
> will work (don't forget local traffic is bound to lo interface, whatever
> local addresses it uses as source or destination).
> 

My Context:
ip-a: mysql 3
ip-c: mysql 3
ip-d: mysql 3
ip-e: mysql 3

new ip: ip-b: mysql 4.0

i can bind mysql to one or to all ip-addresses. so it's not possible to bind
mysql 3 to all ip-addresses without ip-b. 

my idea:
bind mysql3 to ip-a and "redirect" ip-c, -d, -e to ip-a.

Greetings
Andreas





-- 
250 MB Mailbox, 100 FreeSMS/Monat, 1000 MB Online-Festplatte
Jetzt GMX TopMail kostenlos testen http://www.gmx.net/de/go/topmail

Re: Passed chains from local process to local ip

[Cedric Blancher]

Le lun 26/07/2004 à 09:54, Andreas Sachs a écrit :
> i can bind mysql to one or to all ip-addresses. so it's not possible to bind
> mysql 3 to all ip-addresses without ip-b. 

Why don't you bind MySQL to 127.0.0.1, using a dedicated port for each
MySQL version (127.0.0.1:A for MySQL 3 and 127.0.0.1:B for MySQL 4) and
then use REDIRECT target to send packets to proper port :

	iptables -t nat -A PREROUTING --tcp -d $IPA --dport $MYSQL \
		-j REDIRECT --to-ports $PORT_A
	iptables -t nat -A PREROUTING --tcp -d $IPB --dport $MYSQL \
		-j REDIRECT --to-ports $PORT_B
	[etc.]

By the way, I tested it for you. I binded my SSHd to 127.0.0.1 only and
then issued :

	 iptables -t nat -A OUTPUT -p tcp -d $EXT_IP --dport 22 \
		-j REDIRECT

Then doing a ssh my external IP from the box itself works like a charm.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: Passed chains from local process to local ip

[John A. Sullivan III]

On Mon, 2004-07-26 at 02:27, andilist@gmx.de wrote:
> Hello,
> which chains are passed from packets, generated from a local process with a
> local ip as destination(not 127.0.0.1, but ip-address of a local network
> interface).
> 
> Is it OUTPUT -> POSTROUTING -> PREROUTING -> INPUT, or is it directly?
> 
> my network interface has 5 ip-adresses. If have 2 daemons (say A and B)
> running on 2 different local ip-Addresses (ip-A and IP-B) on the same port.
> It's not possible to run a deamon on 2 or more addresses. so i need to
> forward ip-c, ip-d and ip-e to ip-a.
> 
> ip-a -> A
> ip-b -> B
> ip-c -> ip->a -> A
> ip-d -> ip->a -> A
> ip-e -> ip->a -> A
> 
> it works allready from packets from remote hosts (with dnat and prerouting),
> but not from local packets. to use dnat for local packets in the output
> chain i read that i must update the kernel and install a new version of
> iptables. but i am not sure, if this will work, because the packets are for
> a local ip-address and not for a remote destination.
> 
> Thanks for your help,
> Andreas
I am not absolutely certain but one could find out by adding log rules
at the entrance to each chain and seeing which are traversed by your
packets - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net