Re: IPtables localhost redirect

To: debian-user@lists.debian.org
Subject: Re: IPtables localhost redirect
From: Daniele Orlando <d.orlando.0@gmail.com>
Date: Mon, 12 Jul 2010 01:06:18 +0200
Message-id: <[🔎] AANLkTila28GqHmpb75bm18KCi-H7UFNG0eR53LG9J-YS@mail.gmail.com>
In-reply-to: <[🔎] 4C38A736.7030007@chello.at>
References: <[🔎] AANLkTilPUtvPvdqiZJuOUKcpcXCIRFxNy4Oyak7oNCx4@mail.gmail.com> <[🔎] 4C38A736.7030007@chello.at>

On Sat, Jul 10, 2010 at 19:00, Mart Frauenlob <mart.frauenlob@chello.at> wrote:
> This picture shows the netfilter traffic flow:
> http://jengelh.medozas.de/images/nf-packet-flow.png
>
> Source address selection is done before the OUTPUT path.
> Locally generated packets NEVER hit the PREROUTING chain in mangle or nat
> table.
> There is a routing decision after the mangle table OUTPUT chain.
> But you cannot do address translation there (like in nat OUTPUT).
> What you can do, is MARK packets in the mangle table, and refer to this mark
> with iproute2 (ip rule add fwmark 0x1 lookup table custom_table) - this is
> called "policy based routing".
>
>
> So from looking at the picture and from the theory I know, theoretically
> something like this could work:
>
> echo "101 custom_table" >> /etc/iproute2/rt_tables
>
> fill the table with appropriate routes:
> ip route add table custom_table ...
> ...
>
> mark in mangle table:
> iptables -t mangle -A OUTPUT -d 127.0.0.1 -p tcp --dport 5432 -j MARK
> --set-mark 0x1
>
> dnat in nat table:
> iptables -t nat -A OUTPUT -m mark --mark 0x1 -j DNAT --to-destination
> 192.168.1.113
>
> snat in nat table:
> iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j SNAT --to-source
> 192.168.1.1?
>
> add iproute rule:
> ip rule add fwmark 0x1 lookup custom_table
>
>
> I've done all this for testing and I did not succeed.
> I also did:
> echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
> not sure if that interacts.
> I then put a trace rule:
> iptables -t raw -A OUTPUT -d 127.0.0.1 -p tcp --dport 5432 -j TRACE
>
> The resulting log always ended in the nat table's OUTPUT chain.
> I don't know why acutally, from the picture (which is from a developer) it
> should hit nat POSTROUTING.
> I'm telling you this, so you could eventually try and maybe you have more
> luck than me, or maybe the information is otherwise useful.
> However maybe it's not possible, I can't tell for sure.
> I would have done some ssh tunneling myself in the first place.
> But I know there are people at the netfilter mailing list, who do know for
> sure. It's in general the best place to ask netfilter related questions.
>
> Best regards
>
> Mart

Thanks Mart,
your experiment will not be lost.

At the moment I have not a lot of time to spend extending your work,
but it is a good starting point for further enhancement.
As you are suggesting, I'll integrate it with the infos coming from the
netfilter mailing list and #Netfilter irc channel.

At the moment, the good news is that, together with the ssh,
netcat, and socat animals, we have a new friend:
xinetd

service postgresql
{
        socket_type             = stream
        wait                    = no
        user                    = root
        redirect                = 192.168.1.113 5432
        bind                    = 127.0.0.1
}

Thanks again for the time spent answering me.

Daniele

p.s.:
The xinetd tip comes from SuperJediWombat! of linuxquestions.org.
http://www.linuxquestions.org/questions/linux-networking-3/iptables-redirect-127-0-0-1-to-192-168-1-113-a-818817/

Reply to:

References:
- IPtables localhost redirect
  - From: Daniele Orlando <d.orlando.0@gmail.com>
- Re: IPtables localhost redirect
  - From: Mart Frauenlob <mart.frauenlob@chello.at>

Prev by Date: lenny boot with grub2
Next by Date: Re: IPtables localhost redirect
Previous by thread: Re: IPtables localhost redirect
Next by thread: Re: IPtables localhost redirect
Index(es):
- Date
- Thread