Temporary redirection with DNAT and SNAT

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Temporary redirection with DNAT and SNAT
@ 2005-04-26 17:13 Kirk
  2005-04-27  2:36 ` Temporary redirection with DNAT and SNAT (nfcan: addressed to exclusive sender for this address) Jim Laurino
  2005-04-27  5:00 ` Temporary redirection with DNAT and SNAT Taylor, Grant
  0 siblings, 2 replies; 3+ messages in thread
From: Kirk @ 2005-04-26 17:13 UTC (permalink / raw)
  To: netfilter

Hello,

I have to shutdown a proxy server for a few days and I need to
redirect its traffic to a server behind an iptables firewall. Here's
what I want to do:


Original request to $PUBLIC_IP:80 is redirected  to $PRIVATE_IP:2050
(machine behind firewall)

Packets from $PRIVATE_IP:2050 come out of the firewall as coming from
$PUBLIC_IP:80


I binded the proxy's public IP to the firewall's  external interface
(eth0) and added the following rules:

I think I got the first part right.
#test for ezproxy
-A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 2050 -j ACCEPT

But I'm having problems with the second part. The SNAT rule:
-I POSTROUTING -s 192.168.0.3 --sport 2050  -o eth0 -j SNAT --to 130.17.174.108

#This one seems OK too.
-A PREROUTING -i eth0 -p tcp -d $PUBLIC_IP --dport  80 -j DNAT --to
$PRIVATE_IP:2050


The SNAT rule generates the error:
Applying iptables firewall rules: iptables-restore v1.2.11: Unknown
arg `--sport'

One of the restrictions I have is that *only* the packets from
$PRIVATE_IP:2050 can go out as coming from $PUBLIC_IP:80.

Could someone provide help to solve this problem?

Thanks.
-K


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Temporary redirection with DNAT and SNAT (nfcan: addressed to exclusive sender for this address)
  2005-04-26 17:13 Temporary redirection with DNAT and SNAT Kirk
@ 2005-04-27  2:36 ` Jim Laurino
  2005-04-27  5:00 ` Temporary redirection with DNAT and SNAT Taylor, Grant
  1 sibling, 0 replies; 3+ messages in thread
From: Jim Laurino @ 2005-04-27  2:36 UTC (permalink / raw)
  To: netfilter

On 2005.04.26 13:13, Kirk - whereisgui@gmail.com wrote:
> Hello,
> 
> I have to shutdown a proxy server for a few days and I need to
> redirect its traffic to a server behind an iptables firewall. Here's
> what I want to do:
>
snip
> 
> But I'm having problems with the second part. The SNAT rule:
> -I POSTROUTING -s 192.168.0.3 --sport 2050  -o eth0 -j SNAT --to
> 130.17.174.108
> 
> #This one seems OK too.
> -A PREROUTING -i eth0 -p tcp -d $PUBLIC_IP --dport  80 -j DNAT --to
> $PRIVATE_IP:2050
> 
> 
> The SNAT rule generates the error:
> Applying iptables firewall rules: iptables-restore v1.2.11: Unknown
> arg `--sport'

I think the difference is that the SNAT rule does not
specify the protocol the way the DNAT rule does ( -p tcp ).
You can only specify a source port for a
protocol that uses the concept of a "port".

> 
> Could someone provide help to solve this problem?
>

HTH

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Temporary redirection with DNAT and SNAT
  2005-04-26 17:13 Temporary redirection with DNAT and SNAT Kirk
  2005-04-27  2:36 ` Temporary redirection with DNAT and SNAT (nfcan: addressed to exclusive sender for this address) Jim Laurino
@ 2005-04-27  5:00 ` Taylor, Grant
  1 sibling, 0 replies; 3+ messages in thread
From: Taylor, Grant @ 2005-04-27  5:00 UTC (permalink / raw)
  To: Kirk; +Cc: netfilter

Kirk wrote:
> Hello,
> 
> I have to shutdown a proxy server for a few days and I need to
> redirect its traffic to a server behind an iptables firewall. Here's
> what I want to do:
> 
> Original request to $PUBLIC_IP:80 is redirected  to $PRIVATE_IP:2050
> (machine behind firewall)
> 
> Packets from $PRIVATE_IP:2050 come out of the firewall as coming from
> $PUBLIC_IP:80
> 
> I binded the proxy's public IP to the firewall's  external interface
> (eth0) and added the following rules:
> 
> I think I got the first part right.
> #test for ezproxy
> -A FORWARD -i eth0 -o eth1 -p tcp --syn -d 192.168.0.3 --dport 2050 -j ACCEPT

Do you have any other rules in your FORWARD chain that will allow the rest of the traffic flow through to the Proxy, i.e. --state ESTABLISHED?  Correspondingly do you have any rules that will prevent the traffic that is flowing from the proxy in eth1 and back out eth0?  This could get you down the road.

> But I'm having problems with the second part. The SNAT rule:
> -I POSTROUTING -s 192.168.0.3 --sport 2050  -o eth0 -j SNAT --to 130.17.174.108

You will have to specify a protocol "-p tcp" to use any port definitions.

> #This one seems OK too.
> -A PREROUTING -i eth0 -p tcp -d $PUBLIC_IP --dport  80 -j DNAT --to
> $PRIVATE_IP:2050
> 
> The SNAT rule generates the error:
> Applying iptables firewall rules: iptables-restore v1.2.11: Unknown
> arg `--sport'

*nod* see above.

> One of the restrictions I have is that *only* the packets from
> $PRIVATE_IP:2050 can go out as coming from $PUBLIC_IP:80.

If you are really paranoid that this will happen you could write a rule that would drop any traffic that was not from the internal proxy.

-A FORWARD -s ! 192.168.0.3 -p tcp --sport 80 -j DROP



Grant. . . .


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-04-27  5:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-04-26 17:13 Temporary redirection with DNAT and SNAT Kirk
2005-04-27  2:36 ` Temporary redirection with DNAT and SNAT (nfcan: addressed to exclusive sender for this address) Jim Laurino
2005-04-27  5:00 ` Temporary redirection with DNAT and SNAT Taylor, Grant

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox