simple port translation on the localhost / local loopback

simple port translation on the localhost / local loopback

[Noino]

Hi, List ! 

I wish to submit to you experts an apparently simple problem involving port 
address translation on the localhost/local loopback, which I've tried and 
tried and read and couldn't find an authoritative answer for. 

Setup: Linux SUSE w/ kernel 2.6.5. Iptables v. 1.2.9.
Have a relay DNS listener on UDP port 10053.
Most DNS clients only know to contact a DNS server on port 53 though. 

Problem: using netfilter/ip divert packets from local clients to hit port 
10053 instead of 53, and of course responses should come back to requesters 
appearing as though coming from port 53. This is very elementary PAT, but 
... whatever I've tried using iptables, either one of two equally incorrect 
things happen : 

 - (DNAT) requests hit the server, but the port number in replies in 
untouched hence replies are ignored, or
 - (SNAT) replies disappear in the ether & requesoer times out... 

Searching found that, maybe, a kernel option : CONFIG_IP_NF_NAT_LOCAL should 
be necessary for PAT to work on the local host; can you confirm that it 
would indeed work if I were to recompile my kernel with that option set ?  
Further search seemes to imply that this option was removed from later 
kernels altogether, which gets even more confusing... 

Can you help me set up the very basic port translation I need, using my 
existing software if at all possible ? 

What alternative options exist ? I've read about a thing called "Fast-NAT", 
which unfortunately also seems to have been broken even before the 2.6 
kernels. Is linux following the lead of the "other" OS in carelessly 
breaking things along the road? \\\\\\\\\rub-out last question. 

Regards, 

-- 
Noino 

-- 
Noino

RE: simple port translation on the localhost / local loopback

[Ryan Kruse]

This is how I redirect 10443 to 443.  You have to NAT it back to another host, which will just be your machines IP.  You should be able to sub in your server IP and DNS ports.

host=10.100.32.53
/usr/sbin/iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-ports 11443
/usr/sbin/iptables -t nat -A OUTPUT -d $host -p tcp --dport 443 -j REDIRECT --to-ports 11443
/usr/sbin/iptables -t nat -A PREROUTING -d $host -p tcp --dport 443 -j REDIRECT --to-ports 11443

Ryan Kruse
www.ziptie.org

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Noino
Sent: Thursday, March 27, 2008 4:17 PM
To: netfilter@vger.kernel.org
Subject: simple port translation on the localhost / local loopback

Hi, List !

I wish to submit to you experts an apparently simple problem involving port address translation on the localhost/local loopback, which I've tried and tried and read and couldn't find an authoritative answer for.

Setup: Linux SUSE w/ kernel 2.6.5. Iptables v. 1.2.9.
Have a relay DNS listener on UDP port 10053.
Most DNS clients only know to contact a DNS server on port 53 though.

Problem: using netfilter/ip divert packets from local clients to hit port
10053 instead of 53, and of course responses should come back to requesters appearing as though coming from port 53. This is very elementary PAT, but ... whatever I've tried using iptables, either one of two equally incorrect things happen :

 - (DNAT) requests hit the server, but the port number in replies in untouched hence replies are ignored, or
 - (SNAT) replies disappear in the ether & requesoer times out...

Searching found that, maybe, a kernel option : CONFIG_IP_NF_NAT_LOCAL should be necessary for PAT to work on the local host; can you confirm that it would indeed work if I were to recompile my kernel with that option set ?
Further search seemes to imply that this option was removed from later kernels altogether, which gets even more confusing...

Can you help me set up the very basic port translation I need, using my existing software if at all possible ?

What alternative options exist ? I've read about a thing called "Fast-NAT", which unfortunately also seems to have been broken even before the 2.6 kernels. Is linux following the lead of the "other" OS in carelessly breaking things along the road? \\\\\\\\\rub-out last question.

Regards,

--
Noino

--
Noino

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: simple port translation on the localhost / local loopback

[Noino]

Hi, Ryan... 

Ryan Kruse wrote : 

> This is how I redirect 10443 to 443.  You have to NAT it back to another host, which will just be your machines IP.  You should be able to sub in your server IP and DNS ports. 

Thank you for your help. I did as you said, /mutatis mutandis/, 
unfortunately it didn't work. Here're my iptables commands (starting from 
clear tabes) :
___________________________________________________________________________
# /usr/sbin/iptables -t nat -A OUTPUT -d localhost -p udp --dport 53 -j 
REDIRECT --to-ports 10053
# host=10.0.0.1
# /usr/sbin/iptables -t nat -A OUTPUT -d $host -p udp --dport 53 -j REDIRECT 
 --to-ports 10053
# /usr/sbin/iptables -t nat -A PREROUTING -d $host -p udp --dport 53 -j 
REDIRECT --to-ports 10053
___________________________________________________________________________ 

Here 10.0.0.1 is my local host's IP on eth0 (the LAN) 

Now here's what happened when trying to contact my local DNS listener 
(Tor-alpha) :
______________________________________________________________________
# host www.grc.com 10.0.0.1
;; reply from unexpected source: 127.0.0.1#10053, expected 10.0.0.1#53
;; reply from unexpected source: 127.0.0.1#10053, expected 10.0.0.1#53
;; connection timed out; no servers could be reached
_______________________________________________________________________ 

You see, it appears just like per my previous question, replies weren't 
NATTed back ! 

Maybe a version problem ?
_____________________________
#iptables --version
iptables v1.2.9
_____________________________ 

-- 
Noino

Re: simple port translation on the localhost / local loopback

[Pascal Hambourg]

Hello,

Noino a écrit :
> Searching found that, maybe, a kernel option : CONFIG_IP_NF_NAT_LOCAL 
> should be necessary for PAT to work on the local host; can you confirm 
> that it would indeed work if I were to recompile my kernel with that 
> option set ?

I confirm. On 2.6 kernels < 2.6.11 and 2.4 kernels < 2.4.29 this option 
must be enabled in order to do local NAT on loopback.

> Further search seemes to imply that this option was 
> removed from later kernels altogether, which gets even more confusing...

In later kernels the local NAT ability is still present but is not 
optional any more, so you do not have to bother about it.

Re: simple port translation on the localhost / local loopback

[Noino]

Pascal Hambourg wrote : 

> I confirm. On 2.6 kernels < 2.6.11 and 2.4 kernels < 2.4.29 this option 
> must be enabled in order to do local NAT on loopback.

Merci, Pascal; that would explain why I had so little success... 

Stll, is there a way to achieve local port redirection without that option 
set, maybe by combining DNAT, SNAT, REDIRECT in some astute way ? 

Does it make things easier if I arrange for Tor to listen on the IP 
associated with the ethernet adapter rather than localhost ? Or even listen 
on 0.0.0.0 ? 

Regards 

-- 
Noino

Re: simple port translation on the localhost / local loopback

[Pascal Hambourg]

Noino a écrit :
> Pascal Hambourg wrote :
> 
>> I confirm. On 2.6 kernels < 2.6.11 and 2.4 kernels < 2.4.29 this 
>> option must be enabled in order to do local NAT on loopback.

Oops, dunno why I added "on loopback". Please ignore it.

> Merci, Pascal; that would explain why I had so little success...
> Stll, is there a way to achieve local port redirection without that 
> option set, maybe by combining DNAT, SNAT, REDIRECT in some astute way ?

AFAIK, not with Netfilter NAT. SNAT won't work on return packets.
But this is possible with userland relay daemons such as stone or socat, 
if the original port (i.e. UDP 53 here) is not used by another process. 
The drawback of this method is that it hides the original client address 
from the final server, but this is not an issue for loopback use.

> Does it make things easier if I arrange for Tor to listen on the IP 
> associated with the ethernet adapter rather than localhost ? Or even 
> listen on 0.0.0.0 ?

Not sure what you mean. Changing the address won't fix the UDP port 
reverse-translation issue.