IPv6 Redirecting a Port

IPv6 Redirecting a Port

[Ryan Kruse]

We have a network management application that has an embedded TFTP and FTP server.  The application is written in Java and runs as an unprivileged user so we can't bind to the well known ports.  On linux we bind TFTP and FTP to high ports (udp/11069 and tcp/11021).  We then use iptables rules to redirect the incoming low port (udp/69 and tcp/21) connections to the high ports.

Now that our application supports IPv6 I need to do the same for that.  I know that ip6tables doesn't support NAT (and shouldn't), but I haven't found a way to redirect a port.  Any thoughts on how this can be done?

Thanks much,

Ryan Kruse
www.ziptie.org

Re: IPv6 Redirecting a Port

[Patrick McHardy]

Ryan Kruse wrote:
> 
> We have a network management application that has an embedded TFTP and FTP server.  The application is written in Java and runs as an unprivileged user so we can't bind to the well known ports.  On linux we bind TFTP and FTP to high ports (udp/11069 and tcp/11021).  We then use iptables rules to redirect the incoming low port (udp/69 and tcp/21) connections to the high ports.
> 
> Now that our application supports IPv6 I need to do the same for that.  I know that ip6tables doesn't support NAT (and shouldn't), but I haven't found a way to redirect a port.  Any thoughts on how this can be done?


Routing by fwmark *might* work (add a new "local" table and a rule
pointing to it, mark packets appropriately, bind to ::0). If that
doesn't you'll most likely need a IPv6-capable TPROXY version.

Re: IPv6 Redirecting a Port

[Jan Engelhardt]

On Tuesday 2008-03-25 17:11, Patrick McHardy wrote:
> Ryan Kruse wrote:
>>
>>  We have a network management application that has an embedded TFTP and FTP
>>  server.  The application is written in Java and runs as an unprivileged
>>  user so we can't bind to the well known ports.  On linux we bind TFTP and
>>  FTP to high ports (udp/11069 and tcp/11021).  We then use iptables rules to
>>  redirect the incoming low port (udp/69 and tcp/21) connections to the high
>>  ports.
>>
>>  Now that our application supports IPv6 I need to do the same for that.  I
>>  know that ip6tables doesn't support NAT (and shouldn't), but I haven't
>>  found a way to redirect a port.  Any thoughts on how this can be done?
>
>
> Routing by fwmark *might* work (add a new "local" table and a rule
> pointing to it, mark packets appropriately, bind to ::0). If that
> doesn't you'll most likely need a IPv6-capable TPROXY version.

But how does routing change the destination port? It does not...

Re: IPv6 Redirecting a Port

[Patrick McHardy]

Jan Engelhardt wrote:
> 
> On Tuesday 2008-03-25 17:11, Patrick McHardy wrote:
>> Ryan Kruse wrote:
>>>
>>>  We have a network management application that has an embedded TFTP 
>>> and FTP
>>>  server.  The application is written in Java and runs as an unprivileged
>>>  user so we can't bind to the well known ports.  On linux we bind 
>>> TFTP and
>>>  FTP to high ports (udp/11069 and tcp/11021).  We then use iptables 
>>> rules to
>>>  redirect the incoming low port (udp/69 and tcp/21) connections to 
>>> the high
>>>  ports.
>>>
>>>  Now that our application supports IPv6 I need to do the same for 
>>> that.  I
>>>  know that ip6tables doesn't support NAT (and shouldn't), but I haven't
>>>  found a way to redirect a port.  Any thoughts on how this can be done?
>>
>>
>> Routing by fwmark *might* work (add a new "local" table and a rule
>> pointing to it, mark packets appropriately, bind to ::0). If that
>> doesn't you'll most likely need a IPv6-capable TPROXY version.
> 
> But how does routing change the destination port? It does not...

Right, not the port of course, I misread the mail.