[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IPtables localhost redirect

On 09.07.2010 05:54, Daniele Orlando wrote:
Hello guys,

on my Debian 5 I'm trying to redirect
the TCP traffic generated by my machine
towards (PostgreSQL)
to the new destination

I have tried with iptables many rules, but no one seams good for the task.

Any idea?

This picture shows the netfilter traffic flow:

Source address selection is done before the OUTPUT path.
Locally generated packets NEVER hit the PREROUTING chain in mangle or nat table.
There is a routing decision after the mangle table OUTPUT chain.
But you cannot do address translation there (like in nat OUTPUT).
What you can do, is MARK packets in the mangle table, and refer to this mark with iproute2 (ip rule add fwmark 0x1 lookup table custom_table) - this is called "policy based routing".

So from looking at the picture and from the theory I know, theoretically something like this could work:

echo "101 custom_table" >> /etc/iproute2/rt_tables

fill the table with appropriate routes:
ip route add table custom_table ...

mark in mangle table:
iptables -t mangle -A OUTPUT -d -p tcp --dport 5432 -j MARK --set-mark 0x1

dnat in nat table:
iptables -t nat -A OUTPUT -m mark --mark 0x1 -j DNAT --to-destination

snat in nat table:
iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j SNAT --to-source

add iproute rule:
ip rule add fwmark 0x1 lookup custom_table

I've done all this for testing and I did not succeed.
I also did:
echo 0 >/proc/sys/net/ipv4/conf/all/rp_filter
not sure if that interacts.
I then put a trace rule:
iptables -t raw -A OUTPUT -d -p tcp --dport 5432 -j TRACE

The resulting log always ended in the nat table's OUTPUT chain.
I don't know why acutally, from the picture (which is from a developer) it should hit nat POSTROUTING. I'm telling you this, so you could eventually try and maybe you have more luck than me, or maybe the information is otherwise useful.
However maybe it's not possible, I can't tell for sure.
I would have done some ssh tunneling myself in the first place.
But I know there are people at the netfilter mailing list, who do know for sure. It's in general the best place to ask netfilter related questions.

Best regards


Reply to: