Solved

REDIRECT packets on Linux Router without using NAT

Posted on 2004-08-18
12
1,824 Views
Last Modified: 2012-08-14
Basically I want to filter packets going through my router depending on their source IP address and have the packets go to another IP address and port of my choice bypassing where they were orgionally supose to go.  

example: web user on public address 205.139.140.5 surfs to 'www.yahoo.com' through my router, but instead he get's a page on my web server 205.139.18.50:80 that gives him a message (a nice message) and does not allow him to go to 'www.yahoo.com'

The packet would have to be redirected to my web server's address from the address that yahoo was.

To clarify, I am not using NAT of any kind, this router simply routes packets from public addresses to other public addresses.  I already know how to do it with NAT - REDIRECT, that's easy, but documentation is slim without NAT.
The router is a build of Debian Woody with Netfilter.

Thanks
-Air
0
Comment
Question by:Airgazm
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 9

Expert Comment

by:e-tsik
ID: 11838287
Hi :-)

You can add the target IP address(s) to one of the interfaces on your router. This stops *all* traffic (not just web) from getting out of your network and sends a reply from your server.

Here is an example list of IP addresses:
ifconfig eth0:0 1.2.3.4 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.5 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.6 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.7 netmask 255.255.255.255

Note: this doesn't work by URL, so with a web site as "google" that uses CNAME to refrelt the name to several IP addresses you'll have to map it to every IP address they may have.

I think REDIRECT is still the cleanest solution, and using it does not have anything to do with public/local IP addresses. None if your users will feel/have any problem connecting with their public IP address.

Enjoy!
0
 
LVL 9

Expert Comment

by:e-tsik
ID: 11838289
A small correction:

Here is an example list of IP addresses:
ifconfig eth0:0 1.2.3.4 netmask 255.255.255.255
ifconfig eth0:1 1.2.3.5 netmask 255.255.255.255
ifconfig eth0:2 1.2.3.6 netmask 255.255.255.255
ifconfig eth0:3 1.2.3.7 netmask 255.255.255.255

Sorry.
0
 

Author Comment

by:Airgazm
ID: 11844164
Hmm, the target IP address could be A-lot of addresses, and could change a lot, so I think that solution is out.

REDIRECT does work but only if I enable Source NAT on Eth0, which I can't do since I'm only routing public address and not routing any NAT'ed addresses.  

There should be a way to filter and forward the packets to any address of choice, shouldn't there?

Thanks
-Air
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11855501
Airgazm, you are answering your own question. You use the phrase filter in the question, your best solution is netfilter with the NAT modules in it.

I also fail to see why you couldn't enable source NAT, I even fail to understand what you mean.

You must be able to put a rule on the box that will do what is needed:

iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d www.yahoo.com --dport 80 -j DNAT --to 205.139.18.50

This rule, combined with conntracking should do what you stated in your question.

0
 

Author Comment

by:Airgazm
ID: 11873158
I can get it to work, but only if I have the following line in my firewall config, which totally breaks my router.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "pub ip"

This enables source nat on eth0 but also breaks the router. If I remove this line then the command above you provided will not forward the packets.  I can't have the router doing nat if the ip's being routed are all public addresses.  I'm only routing public ip's so I'm confused why were using nat at all, shouldn't we be using the filter table?

I guess I don't understand how the DNAT works if there is no NAT on the router at all.

0
 

Author Comment

by:Airgazm
ID: 11873183
I guess an easy way to clarify this would be to ask.

Can we filter and forward these packets without using the NAT modules?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11874478
To answer your last question: to the best of my knowledge, no.

Your other comment: you insist that there is no natting on your router. however as soon as you define a DNAT or SNAT target ther is natting going on. it is just a matter of definition.

I get the impression that you are confusion some items. NAT is not the same as masquerading! There is indeed no point in masquerading from public to public addresses. NAT can be usefull though.

The problem with the rule you show that you used to make it work is that there is no selection, all packets that leave the machine on interface eth0 get a new source address, that will indeed break your router. You must FILTER ie narrow the selection of packets. However as far as I know there is no need for this return rule. The conntrack module should guard and execute the reverse mapping. Please check your box and make sure that ip_conntrack is loaded, either statically compiled into your kernel or as a module.

I suggest you check out the netfilter site for additional details, they have an extensive howto on NAT:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
0
 

Author Comment

by:Airgazm
ID: 11875019
The only reason I had the DNAT and SNAT was just to test it out.  
Conntrack is compiled into the kernel.

So, your saying that this line
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d www.yahoo.com --dport 80 -j DNAT --to 205.139.18.50
..should forward the packets and allow return packets from the DNAT address back to the orginal address.

and I don't need any other lines to get it to work?  I thought this is what I did but couldn't get it to work.



0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11875291
Yep, the one line should do it. (unless there are other firewall rules that would block the traffic)

You can see whether the conntrack is picking up on the connection by catting /proc/net/ip_conntrack, your attempts at connecting should show up...

Also I don't know whether these are the literal commands you used, but I believe www.yahoo.com is a round robin address. So you will probably not get the result you expected. Set it up using ip-addresses only, connect to an p-address and only when you have that working convert to dns.
0
 

Author Comment

by:Airgazm
ID: 11875451
Opps, I wanted it to forward packets for ANY address, would I just change it to,
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d 0.0.0.0 --dport 80 -j DNAT --to 205.139.18.50

??
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11879236
Almost, you would have to write -d 0.0.0.0/0

But you could also leave the destination-test completely out:

iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 --dport 80 -j DNAT --to 205.139.18.50

0
 
LVL 1

Accepted Solution

by:
gn0 earned 500 total points
ID: 11919407
if you do DNAT - you must do SNAT too ... here is y ....

205.139.140.5 sends a packet to yahoo.com, it is DNATed to 205.139.18.50 ......
so when 205.139.18.50 replies to 205.139.140.5 ..... 205.139.140.5 throws the packet away (he says i never sent u anything - i sent it to yahoo .... )

in the router u need (both S and D NAT).....
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d yahoo.com --dport 80 -j DNAT --to-destination 205.139.18.50

iptables -t nat -A POSTROUTING -p tcp -s 205.139.18.50 -d 205.139.140.5 --sport 80 -j SNAT --to-source yahoo.com

for testing u should ping yahoo.com, get one of its ip addresses and use that particular ip address..... for all cases of yahoo.com -- even in the browser of 205.139.140.5
(this is because yahoo has multiple ip addresses which will confuse initial tests....) (note: if u try browsing to yahoo using an ip address u would probably get 'page not found' .... the webserver serves by requested urls)

***********************************
you can also do this without nat ..... it is simple destination routing which we are accustomed to ......
eg. on machine 205.139.18.50 create an interface with the ip of yahoo (as mentioned earlier)
ifconfig eth0:0 yahooip netmask 255.255.255.255
(other ip addresses are added similarly but the interface name is different eth0:1, eth0:2 etc)
in the router machine simply route all the addresses to this machine..... 'ip route add yahooip via nexthop'
(if 205.139.18.50 is directly connected to the router then 'nexthop' would be 205.139.18.50)....
this is for one or more single ip addresses....

**********************************
with nat .... but in ranges of ip addresses.....

on machine 205.139.18.50.....
#enable routing
'echo 1 > /proc/sys/net/ipv4/ip_forward'
#redirect 'subnet/xx' to itself....
iptables -t nat -A PREROUTING -i eth0 -d subnet/xx -p tcp -j REDIRECT 80

on router machine....
#route 'subnet/xx' appropriately....
ip route add subnet/xx via nexthop
(if 205.139.18.50 is directly connected to the router then 'nexthop' would be 205.139.18.50)

good luck....

Nav.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now