* NAT for locahost to IP LAN for mail services [not found] <98028b00811271443g51a06f71y14b605b9a8b7638f@mail.gmail.com> @ 2008-11-27 22:46 ` Zagato 2008-11-27 23:42 ` Pascal Hambourg 0 siblings, 1 reply; 7+ messages in thread From: Zagato @ 2008-11-27 22:46 UTC (permalink / raw) To: netfilter Hi.... im trying to forward the conecction to mail services like smtp( port 25) from one pc to another, im using: _mail_services=25,110,143,995,993 _mailserver=192.168.0.3 iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports $_mail_services -j MARK --set-mark 1 iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports $_mail_services -j DNAT --to-destination 192.168.0.3 where ftolocal its a chain name for mangle and nat... the ip addres source it's 192.168.0.5 and i want to send localhost connections to 192.168.0.3... when i use the lines above i can: telnet 192.168.0.5 25 and it works... giving me: Trying 192.168.0.5... Connected to beta.gps.com.co (192.168.0.5). Escape character is '^]'. 220 alpha.gps.com.co ESMTP Postfix But when i use: telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get.. Trying 127.0.0.1... and statys there forever..... without using the lines above i just get: [root@beta beta]# telnet localhost 25 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection refused [root@beta beta]# telnet 192.168.0.5 25 Trying 192.168.0.5... telnet: connect to address 192.168.0.5: Connection refused telnet: Unable to connect to remote host: Connection refused What i do wrong.... why i cannot use localhost to connect.... can someone give me a hand.... Lot of Thanks.. Alan Jairo Acosta ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-27 22:46 ` NAT for locahost to IP LAN for mail services Zagato @ 2008-11-27 23:42 ` Pascal Hambourg 2008-11-28 0:27 ` Zagato 0 siblings, 1 reply; 7+ messages in thread From: Pascal Hambourg @ 2008-11-27 23:42 UTC (permalink / raw) To: netfilter Zagato a écrit : > Hi.... im trying to forward the conecction to mail services like smtp( > port 25) from one pc to another, im using: > > _mail_services=25,110,143,995,993 > _mailserver=192.168.0.3 > iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports > $_mail_services -j MARK --set-mark 1 > iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports > $_mail_services -j DNAT --to-destination 192.168.0.3 > > where ftolocal its a chain name for mangle and nat... > > the ip addres source it's 192.168.0.5 and i want to send localhost > connections to 192.168.0.3... > when i use the lines above i can: > telnet 192.168.0.5 25 > and it works... giving me: > Trying 192.168.0.5... > Connected to beta.gps.com.co (192.168.0.5). > Escape character is '^]'. > 220 alpha.gps.com.co ESMTP Postfix > > But when i use: > telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get.. > Trying 127.0.0.1... > and statys there forever..... The difference may lie in the source address. When you send a packet to a local address (127.0.0.0/8, 192.168.0.5) and don't set an explicit source address (with -b in telnet), the linux kernel selects the same local address for the source address. After matching the DNAT rule, packets are rerouted to the network interface through which the new destination can be reached instead of the loopback interface. However the kernel routing prohibits sending packets with a loopback address to a non loopback interface, i.e. outside the host. So packets with source address 192.168.0.5 are sent out, but packets with source address 127.0.0.1 are discarded. An additional SNAT rule wouldn't help here because it would take place after the packet has been discarded. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-27 23:42 ` Pascal Hambourg @ 2008-11-28 0:27 ` Zagato 2008-11-28 11:23 ` Pascal Hambourg 0 siblings, 1 reply; 7+ messages in thread From: Zagato @ 2008-11-28 0:27 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter Douh..... :(... cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then 192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and 0.3 its another phisical PC.... this it's possible ? Thanks :D ! Alan Jairo Acosta On Thu, Nov 27, 2008 at 6:42 PM, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote: > Zagato a écrit : >> >> Hi.... im trying to forward the conecction to mail services like smtp( >> port 25) from one pc to another, im using: >> >> _mail_services=25,110,143,995,993 >> _mailserver=192.168.0.3 >> iptables -t mangle -A ftolocal -p tcp -m multiport --destination-ports >> $_mail_services -j MARK --set-mark 1 >> iptables -t nat -A ftolocal -p tcp -m multiport --destination-ports >> $_mail_services -j DNAT --to-destination 192.168.0.3 >> >> where ftolocal its a chain name for mangle and nat... >> >> the ip addres source it's 192.168.0.5 and i want to send localhost >> connections to 192.168.0.3... >> when i use the lines above i can: >> telnet 192.168.0.5 25 >> and it works... giving me: >> Trying 192.168.0.5... >> Connected to beta.gps.com.co (192.168.0.5). >> Escape character is '^]'. >> 220 alpha.gps.com.co ESMTP Postfix >> >> But when i use: >> telnet localhost 25 or telnet 127.0.0.1 25 tha must be equal i get.. >> Trying 127.0.0.1... >> and statys there forever..... > > The difference may lie in the source address. When you send a packet to a > local address (127.0.0.0/8, 192.168.0.5) and don't set an explicit source > address (with -b in telnet), the linux kernel selects the same local address > for the source address. After matching the DNAT rule, packets are rerouted > to the network interface through which the new destination can be reached > instead of the loopback interface. However the kernel routing prohibits > sending packets with a loopback address to a non loopback interface, i.e. > outside the host. So packets with source address 192.168.0.5 are sent out, > but packets with source address 127.0.0.1 are discarded. An additional SNAT > rule wouldn't help here because it would take place after the packet has > been discarded. > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-28 0:27 ` Zagato @ 2008-11-28 11:23 ` Pascal Hambourg 2008-11-29 4:06 ` Zagato 0 siblings, 1 reply; 7+ messages in thread From: Pascal Hambourg @ 2008-11-28 11:23 UTC (permalink / raw) To: netfilter Zagato a écrit : > cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then > 192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and > 0.3 its another phisical PC.... this it's possible ? Not using iptables. However it is possible using a TCP relay/proxy such as rinetd, socat, redir, stone, simpleproxy... which opens a listening socket on the local machine and forwards any connection to a remote host. This does not require NAT at all. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-28 11:23 ` Pascal Hambourg @ 2008-11-29 4:06 ` Zagato 2008-11-29 10:30 ` Pascal Hambourg 0 siblings, 1 reply; 7+ messages in thread From: Zagato @ 2008-11-29 4:06 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter Hi.. thanks for the answer... but i really sure that my old rules works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p 5432 test have the same symptomatic, maybe a kernel module that i need to modoprobe ? what chage that my old rules doesn't work anymore... ? Centos 5.2 kernel: 2.6.18-92.el5 # lsmod Module Size Used by gfs 306300 1 lock_dlm 56649 2 gfs2 526189 2 gfs,lock_dlm dlm 153441 8 lock_dlm configfs 62301 2 dlm xt_mark 35265 1 xt_tcpudp 36417 44 xt_MARK 35649 8 iptable_mangle 36033 1 ip_nat_ftp 36545 0 ip_conntrack_ftp 41489 1 ip_nat_ftp ipt_MASQUERADE 36801 3 iptable_nat 40773 1 ip_nat 53100 3 ip_nat_ftp,ipt_MASQUERADE,iptable_nat ip_conntrack 91237 5 ip_nat_ftp,ip_conntrack_ftp,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink 40457 2 ip_nat,ip_conntrack iptable_filter 36161 1 ip_tables 55329 3 iptable_mangle,iptable_nat,iptable_filter x_tables 50377 6 xt_mark,xt_tcpudp,xt_MARK,ipt_MASQUERADE,iptable_nat,ip_tables drbd 245928 4 ipv6 420481 57 xfrm_nalgo 43845 1 ipv6 crypto_api 42177 1 xfrm_nalgo autofs4 57289 2 hidp 83521 2 rfcomm 104809 0 l2cap 89281 10 hidp,rfcomm bluetooth 118597 5 hidp,rfcomm,l2cap sunrpc 198025 1 dm_mirror 60617 0 dm_multipath 52945 0 dm_mod 99736 2 dm_mirror,dm_multipath video 53197 0 sbs 49921 0 backlight 39873 1 video i2c_ec 38593 1 sbs button 40545 0 battery 43849 0 asus_acpi 50917 0 acpi_memhotplug 40133 0 ac 38729 0 lp 47121 0 snd_hda_intel 56033 0 snd_hda_codec 308929 1 snd_hda_intel snd_seq_dummy 37061 0 snd_seq_oss 65473 0 snd_seq_midi_event 41025 1 snd_seq_oss snd_seq 87777 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event snd_seq_device 41557 3 snd_seq_dummy,snd_seq_oss,snd_seq snd_pcm_oss 77505 0 snd_mixer_oss 49985 1 snd_pcm_oss snd_pcm 116681 3 snd_hda_intel,snd_hda_codec,snd_pcm_oss sg 69993 0 nvidia 7844008 0 snd_timer 57161 2 snd_seq,snd_pcm snd 95977 9 snd_hda_intel,snd_hda_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer soundcore 41825 1 snd i2c_i801 41685 0 i2c_core 56129 3 i2c_ec,nvidia,i2c_i801 snd_page_alloc 44113 2 snd_hda_intel,snd_pcm ide_cd 73697 0 pcspkr 36289 0 shpchp 70765 0 8139too 61121 0 e1000e 133889 0 parport_pc 62313 1 serio_raw 40517 0 8139cp 58049 0 mii 38849 2 8139too,8139cp cdrom 68713 1 ide_cd parport 73165 2 lp,parport_pc r8169 65737 0 sata_sil 45769 0 ata_piix 54981 6 libata 192345 2 sata_sil,ata_piix sd_mod 56257 8 scsi_mod 188665 3 sg,libata,sd_mod raid1 56001 3 ext3 167249 1 jbd 93873 1 ext3 uhci_hcd 57433 0 ohci_hcd 54493 0 ehci_hcd 65741 0 On Fri, Nov 28, 2008 at 6:23 AM, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote: > Zagato a écrit : >> >> cant't i redirect the packect from 127.0.0.1 to 192.168.0.5 and then >> 192.168.0.3 ?... so 127.0.0.1 and 192.168.0.5 are in the same host and >> 0.3 its another phisical PC.... this it's possible ? > > Not using iptables. However it is possible using a TCP relay/proxy such as > rinetd, socat, redir, stone, simpleproxy... which opens a listening socket > on the local machine and forwards any connection to a remote host. This does > not require NAT at all. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Farewell. http://www.youtube.com/zagatogekko ruby << __EOF__ puts [ 111, 116, 97, 103, 97, 90 ].collect{|v| v.chr}.join.reverse __EOF__ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-29 4:06 ` Zagato @ 2008-11-29 10:30 ` Pascal Hambourg 2008-11-29 15:41 ` Zagato 0 siblings, 1 reply; 7+ messages in thread From: Pascal Hambourg @ 2008-11-29 10:30 UTC (permalink / raw) To: netfilter Zagato a écrit : > Hi.. thanks for the answer... but i really sure that my old rules > works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p > 5432 test have the same symptomatic, maybe a kernel module that i need > to modoprobe ? what chage that my old rules doesn't work anymore... ? > > Centos 5.2 kernel: 2.6.18-92.el5 According to a quick search it seems that Centos 4.2 included a kernel 2.6.9. In kernels before 2.6.11, the DNAT target in the OUTPUT chain used to change the source address to reflect the new output interface. This is not true for newer 2.6 kernels due to a change in kernel 2.6.11. From <http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11> : ======================================================================== [PATCH] Remove do_extra_mangle: double NAT on LOCAL_OUT On NF_IP_LOCAL_OUT, when destination NAT changes the destination interface, we also change the source address, so the packet is the same as if it were generated to go that way in the first place. This is not strictly necessary, I believe. This patch rips that code out to see what breaks. ======================================================================== (Well, you can see what breaks) ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: NAT for locahost to IP LAN for mail services 2008-11-29 10:30 ` Pascal Hambourg @ 2008-11-29 15:41 ` Zagato 0 siblings, 0 replies; 7+ messages in thread From: Zagato @ 2008-11-29 15:41 UTC (permalink / raw) To: Pascal Hambourg; +Cc: netfilter Mmmm.... a lot of thanks for the help... so was a change... Jeje... well now i'm using rinetd to redirect my localhost ports to another interface and its working, very simple using /etc/rinetd.conf.. Thanks... Alan Jairo Acosta On Sat, Nov 29, 2008 at 10:30 AM, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote: > Zagato a écrit : >> >> Hi.. thanks for the answer... but i really sure that my old rules >> works fine on centos 4.2, when i upgrade to 5.2 psql -h localhost -p >> 5432 test have the same symptomatic, maybe a kernel module that i need >> to modoprobe ? what chage that my old rules doesn't work anymore... ? >> >> Centos 5.2 kernel: 2.6.18-92.el5 > > According to a quick search it seems that Centos 4.2 included a kernel > 2.6.9. In kernels before 2.6.11, the DNAT target in the OUTPUT chain used to > change the source address to reflect the new output interface. This is not > true for newer 2.6 kernels due to a change in kernel 2.6.11. > > From <http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11> : > ======================================================================== > [PATCH] Remove do_extra_mangle: double NAT on LOCAL_OUT > > On NF_IP_LOCAL_OUT, when destination NAT changes the destination > interface, we also change the source address, so the packet is the > same as if it were generated to go that way in the first place. This > is not strictly necessary, I believe. > > This patch rips that code out to see what breaks. > ======================================================================== > (Well, you can see what breaks) > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2008-11-29 15:41 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <98028b00811271443g51a06f71y14b605b9a8b7638f@mail.gmail.com>
2008-11-27 22:46 ` NAT for locahost to IP LAN for mail services Zagato
2008-11-27 23:42 ` Pascal Hambourg
2008-11-28 0:27 ` Zagato
2008-11-28 11:23 ` Pascal Hambourg
2008-11-29 4:06 ` Zagato
2008-11-29 10:30 ` Pascal Hambourg
2008-11-29 15:41 ` Zagato
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox