Re: IPtables localhost redirect

To: debian-user@lists.debian.org
Subject: Re: IPtables localhost redirect
From: Mart Frauenlob <mart.frauenlob@chello.at>
Date: Sat, 10 Jul 2010 19:00:38 +0200
Message-id: <[🔎] 4C38A736.7030007@chello.at>
Reply-to: debian-user@lists.debian.org
In-reply-to: <[🔎] AANLkTilPUtvPvdqiZJuOUKcpcXCIRFxNy4Oyak7oNCx4@mail.gmail.com>
References: <[🔎] AANLkTilPUtvPvdqiZJuOUKcpcXCIRFxNy4Oyak7oNCx4@mail.gmail.com>

On 09.07.2010 05:54, Daniele Orlando wrote:

Hello guys,

on my Debian 5 I'm trying to redirect
the TCP traffic generated by my machine
towards 127.0.0.1:5432 (PostgreSQL)
to the new destination 192.168.1.113:5432.

I have tried with iptables many rules, but no one seams good for the task.

Any idea?


This picture shows the netfilter traffic flow:
http://jengelh.medozas.de/images/nf-packet-flow.png

Source address selection is done before the OUTPUT path.

Locally generated packets NEVER hit the PREROUTING chain in mangle ornat table.

There is a routing decision after the mangle table OUTPUT chain.
But you cannot do address translation there (like in nat OUTPUT).

What you can do, is MARK packets in the mangle table, and refer to thismark with iproute2 (ip rule add fwmark 0x1 lookup table custom_table) -this is called "policy based routing".

So from looking at the picture and from the theory I know, theoreticallysomething like this could work:


echo "101 custom_table" >> /etc/iproute2/rt_tables

fill the table with appropriate routes:
ip route add table custom_table ...
...

mark in mangle table:

iptables -t mangle -A OUTPUT -d 127.0.0.1 -p tcp --dport 5432 -j MARK--set-mark 0x1


dnat in nat table:

iptables -t nat -A OUTPUT -m mark --mark 0x1 -j DNAT --to-destination192.168.1.113


snat in nat table:

iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j SNAT --to-source192.168.1.1?


add iproute rule:
ip rule add fwmark 0x1 lookup custom_table


I've done all this for testing and I did not succeed.
I also did:
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
not sure if that interacts.
I then put a trace rule:
iptables -t raw -A OUTPUT -d 127.0.0.1 -p tcp --dport 5432 -j TRACE

The resulting log always ended in the nat table's OUTPUT chain.

I don't know why acutally, from the picture (which is from a developer)it should hit nat POSTROUTING.I'm telling you this, so you could eventually try and maybe you havemore luck than me, or maybe the information is otherwise useful.

However maybe it's not possible, I can't tell for sure.
I would have done some ssh tunneling myself in the first place.

But I know there are people at the netfilter mailing list, who do knowfor sure. It's in general the best place to ask netfilter related questions.


Best regards

Mart

Reply to:

Follow-Ups:
- Re: IPtables localhost redirect
  - From: Daniele Orlando <d.orlando.0@gmail.com>
- Re: IPtables localhost redirect
  - From: Daniele Orlando <d.orlando.0@gmail.com>

References:
- IPtables localhost redirect
  - From: Daniele Orlando <d.orlando.0@gmail.com>

Prev by Date: Re: No sound in Debian GNU/Linux Lenny 5.0.5
Next by Date: GRUB broken after upgrade on Macbook
Previous by thread: Re: IPtables localhost redirect
Next by thread: Re: IPtables localhost redirect
Index(es):
- Date
- Thread