Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2634
  • Last Modified:

REDIRECT packets on Linux Router without using NAT

Basically I want to filter packets going through my router depending on their source IP address and have the packets go to another IP address and port of my choice bypassing where they were orgionally supose to go.  

example: web user on public address 205.139.140.5 surfs to 'www.yahoo.com' through my router, but instead he get's a page on my web server 205.139.18.50:80 that gives him a message (a nice message) and does not allow him to go to 'www.yahoo.com'

The packet would have to be redirected to my web server's address from the address that yahoo was.

To clarify, I am not using NAT of any kind, this router simply routes packets from public addresses to other public addresses.  I already know how to do it with NAT - REDIRECT, that's easy, but documentation is slim without NAT.
The router is a build of Debian Woody with Netfilter.

Thanks
-Air
0
Airgazm
Asked:
Airgazm
  • 5
  • 4
  • 2
  • +1
1 Solution
 
e-tsikCommented:
Hi :-)

You can add the target IP address(s) to one of the interfaces on your router. This stops *all* traffic (not just web) from getting out of your network and sends a reply from your server.

Here is an example list of IP addresses:
ifconfig eth0:0 1.2.3.4 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.5 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.6 netmask 255.255.255.255
ifconfig eth0:0 1.2.3.7 netmask 255.255.255.255

Note: this doesn't work by URL, so with a web site as "google" that uses CNAME to refrelt the name to several IP addresses you'll have to map it to every IP address they may have.

I think REDIRECT is still the cleanest solution, and using it does not have anything to do with public/local IP addresses. None if your users will feel/have any problem connecting with their public IP address.

Enjoy!
0
 
e-tsikCommented:
A small correction:

Here is an example list of IP addresses:
ifconfig eth0:0 1.2.3.4 netmask 255.255.255.255
ifconfig eth0:1 1.2.3.5 netmask 255.255.255.255
ifconfig eth0:2 1.2.3.6 netmask 255.255.255.255
ifconfig eth0:3 1.2.3.7 netmask 255.255.255.255

Sorry.
0
 
AirgazmAuthor Commented:
Hmm, the target IP address could be A-lot of addresses, and could change a lot, so I think that solution is out.

REDIRECT does work but only if I enable Source NAT on Eth0, which I can't do since I'm only routing public address and not routing any NAT'ed addresses.  

There should be a way to filter and forward the packets to any address of choice, shouldn't there?

Thanks
-Air
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
de2ZotjesCommented:
Airgazm, you are answering your own question. You use the phrase filter in the question, your best solution is netfilter with the NAT modules in it.

I also fail to see why you couldn't enable source NAT, I even fail to understand what you mean.

You must be able to put a rule on the box that will do what is needed:

iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d www.yahoo.com --dport 80 -j DNAT --to 205.139.18.50

This rule, combined with conntracking should do what you stated in your question.

0
 
AirgazmAuthor Commented:
I can get it to work, but only if I have the following line in my firewall config, which totally breaks my router.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to "pub ip"

This enables source nat on eth0 but also breaks the router. If I remove this line then the command above you provided will not forward the packets.  I can't have the router doing nat if the ip's being routed are all public addresses.  I'm only routing public ip's so I'm confused why were using nat at all, shouldn't we be using the filter table?

I guess I don't understand how the DNAT works if there is no NAT on the router at all.

0
 
AirgazmAuthor Commented:
I guess an easy way to clarify this would be to ask.

Can we filter and forward these packets without using the NAT modules?
0
 
de2ZotjesCommented:
To answer your last question: to the best of my knowledge, no.

Your other comment: you insist that there is no natting on your router. however as soon as you define a DNAT or SNAT target ther is natting going on. it is just a matter of definition.

I get the impression that you are confusion some items. NAT is not the same as masquerading! There is indeed no point in masquerading from public to public addresses. NAT can be usefull though.

The problem with the rule you show that you used to make it work is that there is no selection, all packets that leave the machine on interface eth0 get a new source address, that will indeed break your router. You must FILTER ie narrow the selection of packets. However as far as I know there is no need for this return rule. The conntrack module should guard and execute the reverse mapping. Please check your box and make sure that ip_conntrack is loaded, either statically compiled into your kernel or as a module.

I suggest you check out the netfilter site for additional details, they have an extensive howto on NAT:
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.html
0
 
AirgazmAuthor Commented:
The only reason I had the DNAT and SNAT was just to test it out.  
Conntrack is compiled into the kernel.

So, your saying that this line
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d www.yahoo.com --dport 80 -j DNAT --to 205.139.18.50
..should forward the packets and allow return packets from the DNAT address back to the orginal address.

and I don't need any other lines to get it to work?  I thought this is what I did but couldn't get it to work.



0
 
de2ZotjesCommented:
Yep, the one line should do it. (unless there are other firewall rules that would block the traffic)

You can see whether the conntrack is picking up on the connection by catting /proc/net/ip_conntrack, your attempts at connecting should show up...

Also I don't know whether these are the literal commands you used, but I believe www.yahoo.com is a round robin address. So you will probably not get the result you expected. Set it up using ip-addresses only, connect to an p-address and only when you have that working convert to dns.
0
 
AirgazmAuthor Commented:
Opps, I wanted it to forward packets for ANY address, would I just change it to,
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d 0.0.0.0 --dport 80 -j DNAT --to 205.139.18.50

??
0
 
de2ZotjesCommented:
Almost, you would have to write -d 0.0.0.0/0

But you could also leave the destination-test completely out:

iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 --dport 80 -j DNAT --to 205.139.18.50

0
 
gn0Commented:
if you do DNAT - you must do SNAT too ... here is y ....

205.139.140.5 sends a packet to yahoo.com, it is DNATed to 205.139.18.50 ......
so when 205.139.18.50 replies to 205.139.140.5 ..... 205.139.140.5 throws the packet away (he says i never sent u anything - i sent it to yahoo .... )

in the router u need (both S and D NAT).....
iptables -t nat -A PREROUTING -p tcp -s 205.139.140.5 -d yahoo.com --dport 80 -j DNAT --to-destination 205.139.18.50

iptables -t nat -A POSTROUTING -p tcp -s 205.139.18.50 -d 205.139.140.5 --sport 80 -j SNAT --to-source yahoo.com

for testing u should ping yahoo.com, get one of its ip addresses and use that particular ip address..... for all cases of yahoo.com -- even in the browser of 205.139.140.5
(this is because yahoo has multiple ip addresses which will confuse initial tests....) (note: if u try browsing to yahoo using an ip address u would probably get 'page not found' .... the webserver serves by requested urls)

***********************************
you can also do this without nat ..... it is simple destination routing which we are accustomed to ......
eg. on machine 205.139.18.50 create an interface with the ip of yahoo (as mentioned earlier)
ifconfig eth0:0 yahooip netmask 255.255.255.255
(other ip addresses are added similarly but the interface name is different eth0:1, eth0:2 etc)
in the router machine simply route all the addresses to this machine..... 'ip route add yahooip via nexthop'
(if 205.139.18.50 is directly connected to the router then 'nexthop' would be 205.139.18.50)....
this is for one or more single ip addresses....

**********************************
with nat .... but in ranges of ip addresses.....

on machine 205.139.18.50.....
#enable routing
'echo 1 > /proc/sys/net/ipv4/ip_forward'
#redirect 'subnet/xx' to itself....
iptables -t nat -A PREROUTING -i eth0 -d subnet/xx -p tcp -j REDIRECT 80

on router machine....
#route 'subnet/xx' appropriately....
ip route add subnet/xx via nexthop
(if 205.139.18.50 is directly connected to the router then 'nexthop' would be 205.139.18.50)

good luck....

Nav.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now