From: Daniel Huhardeaux <daniel.huhardeaux@tootai.com>
To: netfilter@vger.kernel.org
Subject: Re: Port forwarding on host interface
Date: Thu, 24 Sep 2009 10:17:51 +0200 [thread overview]
Message-ID: <4ABB2B2F.8050902@tootai.com> (raw)
In-Reply-To: <4ABA2C20.30800@plouf.fr.eu.org>
Pascal Hambourg a écrit :
Good day,
> Daniel Huhardeaux a écrit :
>> I would like to redirect an external port to another port on the same
>> machine.
>
> REDIRECT is your friend.
Thanks to Mart and you I got it work :-)
>> I read on some documents that the kernel doesn't allow DNAT to
>> 127.0.0.1 so I ended up with following setup:
>
> This is not exactly right. NAT allows any address you like, but the
> kernel routing prohibits packets with an address in the loopback range
> on a non-loopback interface, regardless of NAT. It might be worth
> mentionning that the routing decision occurs after the PREROUTING chain
> and does not know about the original destination address. However DNAT
> to 127.x.y.z works fine in the OUTPUT chain because the packets are
> rerouted through the loopback interface and don't leave the host.
My rules are:
[snip]
[ -z $IP ] &&
IP=$EXTERNAL_MAIN_IP
[ -z $PORT ] &&
PORT=$EXT_PORT
$IPTABLES -t mangle -A PREROUTING -p tcp -i
$EXTERNAL_MAIN_DEVICE -d $EXTERNAL_MAIN_NET --dport $PORT -j
DROP
if [ "$IP" == "$EXTERNAL_MAIN_IP" ]; then
$IPTABLES -t nat -A PREROUTING -p tcp -i
$EXTERNAL_MAIN_DEVICE -d $IP --dport $EXT_PORT -j
REDIRECT --to-port $PORT
$IPTABLES -A INPUT -p tcp -i
$EXTERNAL_MAIN_DEVICE -d $IP --dport $PORT -j
ACCEPT
else
# To inhibed when IP is 127.0.0.1
$IPTABLES -t nat -A PREROUTING -p tcp -i
$EXTERNAL_MAIN_DEVICE -d $EXTERNAL_MAIN_NET --dport $EXT_PORT -j
DNAT --to $IP:$PORT
$IPTABLES -A FORWARD -p tcp -m
tcp --dport $PORT -j
ACCEPT
# Test for redirection to localhost, to activate when IP
is 127.0.0.1
#$IPTABLES -t nat -A OUTPUT -p tcp -o
$EXTERNAL_MAIN_DEVICE -d $IP --dport $EXT_PORT -j
DNAT --to $IP:$PORT
#$IPTABLES -A [INPUT|FORWARD] -p tcp -m
tcp --dport $PORT -j
ACCEPT
fi
This is working fine when $IP is the public one or the Intranet one. But
when I put the localhost 127.0.0.1 and activate the right stuff, it's
not working (tried with both INPUT and FORWARD). Telnet to the EXT_PORT
shows try to connect ... From the host, telnet localhost $PORT is working.
Concerning mark of packets, as I told in my original mail, they are
already marked in the mangle table, prerouting rule for my 2 ISP. I
tried to find a solution with save/restore but problem is that mangle
can't use user define target, so how to restore original mark AND accept
the packet?
Thanks to you and Mart for your time
--
Daniel Huhardeaux _____ ____ ____ _____ _____ _
enum +33 368 460 088 (_ __) _ ) _ (_ __) _ _(_) +48 222 472 472
iaxtel 1-700-849-6983 / / / // / // / / / / /_/ / / GIZMO,SKYPE,GTALK
sip/iax:callto 101@sip./_/ ( ___( ___/ /_/ (_/ (_/_/.net tootaiNET
prev parent reply other threads:[~2009-09-24 8:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-09-23 11:05 Port forwarding on host interface Daniel Huhardeaux
2009-09-23 12:30 ` Mart Frauenlob
2009-09-23 14:09 ` Pascal Hambourg
2009-09-24 8:17 ` Daniel Huhardeaux [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ABB2B2F.8050902@tootai.com \
--to=daniel.huhardeaux@tootai.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox