NAT for locahost to IP LAN for mail services

NAT for locahost to IP LAN for mail services

[Zagato]

Hi.... im trying to forward the conecction to mail services like smtp(
port 25) from one pc to another, im using:

_mail_services=25,110,143,995,993
_mailserver=192.168.0.3
iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports
$_mail_services -j MARK --set-mark 1
iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports
$_mail_services -j DNAT --to-destination 192.168.0.3

where ftolocal its a chain name for mangle and nat...

the ip addres source it's 192.168.0.5 and i want to send localhost
connections to 192.168.0.3...
when i use the lines above i can:
telnet 192.168.0.5 25
and it works... giving me:
Trying 192.168.0.5...
Connected to beta.gps.com.co (192.168.0.5).
Escape character is '^]'.
220 alpha.gps.com.co ESMTP Postfix

But when i use:
telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get..
Trying 127.0.0.1...
and statys there forever.....

without using the lines above i just get:
[root@beta beta]# telnet localhost 25
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host: Connection refused
[root@beta beta]# telnet 192.168.0.5 25
Trying 192.168.0.5...
telnet: connect to address 192.168.0.5: Connection refused
telnet: Unable to connect to remote host: Connection refused

What i do wrong.... why i cannot use localhost to connect.... can
someone give me a hand....

Lot of Thanks..

Alan Jairo Acosta

Re: NAT for locahost to IP LAN for mail services

[Pascal Hambourg]

Zagato a écrit :
> Hi.... im trying to forward the conecction to mail services like smtp(
> port 25) from one pc to another, im using:
> 
> _mail_services=25,110,143,995,993
> _mailserver=192.168.0.3
> iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports
> $_mail_services -j MARK --set-mark 1
> iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports
> $_mail_services -j DNAT --to-destination 192.168.0.3
> 
> where ftolocal its a chain name for mangle and nat...
> 
> the ip addres source it's 192.168.0.5 and i want to send localhost
> connections to 192.168.0.3...
> when i use the lines above i can:
> telnet 192.168.0.5 25
> and it works... giving me:
> Trying 192.168.0.5...
> Connected to beta.gps.com.co (192.168.0.5).
> Escape character is '^]'.
> 220 alpha.gps.com.co ESMTP Postfix
> 
> But when i use:
> telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get..
> Trying 127.0.0.1...
> and statys there forever.....

The difference may lie in the source address. When you send a packet to 
a local address (127.0.0.0/8, 192.168.0.5) and don't set an explicit 
source address (with -b in telnet), the linux kernel selects the same 
local address for the source address. After matching the DNAT rule, 
packets are rerouted to the network interface through which the new 
destination can be reached instead of the loopback interface. However 
the kernel routing prohibits sending packets with a loopback address to 
a non loopback interface, i.e. outside the host. So packets with source 
address 192.168.0.5 are sent out, but packets with source address 
127.0.0.1 are discarded. An additional SNAT rule wouldn't help here 
because it would take place after the packet has been discarded.

Re: NAT for locahost to IP LAN for mail services

[Zagato]

Douh..... :(...
cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then
192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and
0.3 its  another phisical PC.... this it's possible ?

Thanks :D !

Alan Jairo Acosta

On Thu, Nov 27, 2008 at 6:42 PM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Zagato a écrit :
>>
>> Hi.... im trying to forward the conecction to mail services like smtp(
>> port 25) from one pc to another, im using:
>>
>> _mail_services=25,110,143,995,993
>> _mailserver=192.168.0.3
>> iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports
>> $_mail_services -j MARK --set-mark 1
>> iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports
>> $_mail_services -j DNAT --to-destination 192.168.0.3
>>
>> where ftolocal its a chain name for mangle and nat...
>>
>> the ip addres source it's 192.168.0.5 and i want to send localhost
>> connections to 192.168.0.3...
>> when i use the lines above i can:
>> telnet 192.168.0.5 25
>> and it works... giving me:
>> Trying 192.168.0.5...
>> Connected to beta.gps.com.co (192.168.0.5).
>> Escape character is '^]'.
>> 220 alpha.gps.com.co ESMTP Postfix
>>
>> But when i use:
>> telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get..
>> Trying 127.0.0.1...
>> and statys there forever.....
>
> The difference may lie in the source address. When you send a packet to a
> local address (127.0.0.0/8, 192.168.0.5) and don't set an explicit source
> address (with -b in telnet), the linux kernel selects the same local address
> for the source address. After matching the DNAT rule, packets are rerouted
> to the network interface through which the new destination can be reached
> instead of the loopback interface. However the kernel routing prohibits
> sending packets with a loopback address to a non loopback interface, i.e.
> outside the host. So packets with source address 192.168.0.5 are sent out,
> but packets with source address 127.0.0.1 are discarded. An additional SNAT
> rule wouldn't help here because it would take place after the packet has
> been discarded.
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: NAT for locahost to IP LAN for mail services

[Pascal Hambourg]

Zagato a écrit :
> cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then
> 192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and
> 0.3 its  another phisical PC.... this it's possible ?

Not using iptables. However it is possible using a TCP relay/proxy such 
as rinetd, socat, redir, stone, simpleproxy... which opens a listening 
socket on the local machine and forwards any connection to a remote 
host. This does not require NAT at all.

Re: NAT for locahost to IP LAN for mail services

[Zagato]

Hi.. thanks for the answer... but i really sure that my old rules
works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p
5432 test have the same symptomatic, maybe a kernel module that i need
to modoprobe ? what chage that my old rules doesn't work anymore... ?

Centos 5.2 kernel: 2.6.18-92.el5

# lsmod
Module                  Size  Used by
gfs                   306300  1
lock_dlm               56649  2
gfs2                  526189  2 gfs,lock_dlm
dlm                   153441  8 lock_dlm
configfs               62301  2 dlm
xt_mark                35265  1
xt_tcpudp              36417  44
xt_MARK                35649  8
iptable_mangle         36033  1
ip_nat_ftp             36545  0
ip_conntrack_ftp       41489  1 ip_nat_ftp
ipt_MASQUERADE         36801  3
iptable_nat            40773  1
ip_nat                 53100  3 ip_nat_ftp,ipt_MASQUERADE,iptable_nat
ip_conntrack           91237  5
ip_nat_ftp,ip_conntrack_ftp,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink              40457  2 ip_nat,ip_conntrack
iptable_filter         36161  1
ip_tables              55329  3 iptable_mangle,iptable_nat,iptable_filter
x_tables               50377  6
xt_mark,xt_tcpudp,xt_MARK,ipt_MASQUERADE,iptable_nat,ip_tables
drbd                  245928  4
ipv6                  420481  57
xfrm_nalgo             43845  1 ipv6
crypto_api             42177  1 xfrm_nalgo
autofs4                57289  2
hidp                   83521  2
rfcomm                104809  0
l2cap                  89281  10 hidp,rfcomm
bluetooth             118597  5 hidp,rfcomm,l2cap
sunrpc                198025  1
dm_mirror              60617  0
dm_multipath           52945  0
dm_mod                 99736  2 dm_mirror,dm_multipath
video                  53197  0
sbs                    49921  0
backlight              39873  1 video
i2c_ec                 38593  1 sbs
button                 40545  0
battery                43849  0
asus_acpi              50917  0
acpi_memhotplug        40133  0
ac                     38729  0
lp                     47121  0
snd_hda_intel          56033  0
snd_hda_codec         308929  1 snd_hda_intel
snd_seq_dummy          37061  0
snd_seq_oss            65473  0
snd_seq_midi_event     41025  1 snd_seq_oss
snd_seq                87777  5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device         41557  3 snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss            77505  0
snd_mixer_oss          49985  1 snd_pcm_oss
snd_pcm               116681  3 snd_hda_intel,snd_hda_codec,snd_pcm_oss
sg                     69993  0
nvidia               7844008  0
snd_timer              57161  2 snd_seq,snd_pcm
snd                    95977  9
snd_hda_intel,snd_hda_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
soundcore              41825  1 snd
i2c_i801               41685  0
i2c_core               56129  3 i2c_ec,nvidia,i2c_i801
snd_page_alloc         44113  2 snd_hda_intel,snd_pcm
ide_cd                 73697  0
pcspkr                 36289  0
shpchp                 70765  0
8139too                61121  0
e1000e                133889  0
parport_pc             62313  1
serio_raw              40517  0
8139cp                 58049  0
mii                    38849  2 8139too,8139cp
cdrom                  68713  1 ide_cd
parport                73165  2 lp,parport_pc
r8169                  65737  0
sata_sil               45769  0
ata_piix               54981  6
libata                192345  2 sata_sil,ata_piix
sd_mod                 56257  8
scsi_mod              188665  3 sg,libata,sd_mod
raid1                  56001  3
ext3                  167249  1
jbd                    93873  1 ext3
uhci_hcd               57433  0
ohci_hcd               54493  0
ehci_hcd               65741  0


On Fri, Nov 28, 2008 at 6:23 AM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Zagato a écrit :
>>
>> cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then
>> 192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and
>> 0.3 its  another phisical PC.... this it's possible ?
>
> Not using iptables. However it is possible using a TCP relay/proxy such as
> rinetd, socat, redir, stone, simpleproxy... which opens a listening socket
> on the local machine and forwards any connection to a remote host. This does
> not require NAT at all.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



-- 
Farewell.
http://www.youtube.com/zagatogekko
ruby << __EOF__
  puts [ 111, 116, 97, 103, 97, 90 ].collect{|v| v.chr}.join.reverse
__EOF__

Re: NAT for locahost to IP LAN for mail services

[Pascal Hambourg]

Zagato a écrit :
> Hi.. thanks for the answer... but i really sure that my old rules
> works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p
> 5432 test have the same symptomatic, maybe a kernel module that i need
> to modoprobe ? what chage that my old rules doesn't work anymore... ?
> 
> Centos 5.2 kernel: 2.6.18-92.el5

According to a quick search it seems that Centos 4.2 included a kernel 
2.6.9. In kernels before 2.6.11, the DNAT target in the OUTPUT chain 
used to change the source address to reflect the new output interface. 
This is not true for newer 2.6 kernels due to a change in kernel 2.6.11.

 From <http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11> :
========================================================================
   [PATCH] Remove do_extra_mangle: double NAT on LOCAL_OUT

   On NF_IP_LOCAL_OUT, when destination NAT changes the destination
   interface, we also change the source address, so the packet is the
   same as if it were generated to go that way in the first place.  This
   is not strictly necessary, I believe.

   This patch rips that code out to see what breaks.
========================================================================
(Well, you can see what breaks)

Re: NAT for locahost to IP LAN for mail services

[Zagato]

Mmmm.... a lot of thanks for the help... so was a change... Jeje...
well now i'm using rinetd to redirect my localhost ports to another
interface and its working, very simple using /etc/rinetd.conf..

Thanks...

Alan Jairo Acosta

On Sat, Nov 29, 2008 at 10:30 AM, Pascal Hambourg
<pascal.mail@plouf.fr.eu.org> wrote:
> Zagato a écrit :
>>
>> Hi.. thanks for the answer... but i really sure that my old rules
>> works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p
>> 5432 test have the same symptomatic, maybe a kernel module that i need
>> to modoprobe ? what chage that my old rules doesn't work anymore... ?
>>
>> Centos 5.2 kernel: 2.6.18-92.el5
>
> According to a quick search it seems that Centos 4.2 included a kernel
> 2.6.9. In kernels before 2.6.11, the DNAT target in the OUTPUT chain used to
> change the source address to reflect the new output interface. This is not
> true for newer 2.6 kernels due to a change in kernel 2.6.11.
>
> From <http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11> :
> ========================================================================
>  [PATCH] Remove do_extra_mangle: double NAT on LOCAL_OUT
>
>  On NF_IP_LOCAL_OUT, when destination NAT changes the destination
>  interface, we also change the source address, so the packet is the
>  same as if it were generated to go that way in the first place.  This
>  is not strictly necessary, I believe.
>
>  This patch rips that code out to see what breaks.
> ========================================================================
> (Well, you can see what breaks)
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>