Solved

IPTables rerouting

Posted on 2004-08-19
12
1,016 Views
Last Modified: 2010-07-27
Hi,

I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:

-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999

The problem is that when the application answers to localhost so I don't get a reply.

How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:

-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443

Who can help me?
Thanks in advance
Filips
0
Comment
Question by:Filips
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 11844845
try with this

iptables -A INPUT -i lo -j ACCEPT
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11855280
The rules you want are these:

-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
0
 
LVL 6

Author Comment

by:Filips
ID: 11855626
I tried it but I get this error:

[code=INVALID_TUNNEL_PORT] Tunneling is not allowed on this port. Contact your system administrator.

Any idea?
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11856049
There is a service running on that port? (port 443 that is)
0
 
LVL 6

Author Comment

by:Filips
ID: 11856315
I checked with netstat and no, on IP xxx.xxx.xxx82 port 443 is free (443 = https right?)
0
 
LVL 6

Expert Comment

by:de2Zotjes
ID: 11856426
It must be some local condition of the system you are working on. I ran this command on my local box:

iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443

Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 6

Author Comment

by:Filips
ID: 11856768
Nope, I'm root. The rule was acepted alright but it seems not to work. Is there any way to see some extra log info so I could trace the problem?
0
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 125 total points
ID: 11858048
There is always the LOG target, you can stick that before the SNAT target rule. After a LOG jump parsing continues, so you get both matches :-)

Basically do this:
iptables -L -t nat --line-numbers
note what rule number the SNAT target rule is (=RNR)
then:
iptables -I POSTROUTING <RNR> -p tcp -s localhost --sport 24999 -j LOG

This will insert a rule with the same matching parameters, but a LOG target before the SNAT rule. There are a few parameters specific to LOG, most usable the --log-prefix. If you use that and give it a sufficiently unique prefix, it becomes trivial to grep the lines out of a big log-file.
BTW you need a running syslog and you need to store messages of level warning (or your up the level in iptables)

A next step could be to run tcpdump (or ethereal if you use X/GTK), either capture anything, or us a filter of (host xxx.xxx.xxx.82 && port 443)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11859915
> The problem is that when the application answers to localhost so I don't get a reply.
why does it answer to localhost instead of the correct IP? Fix the application.
0
 
LVL 6

Author Comment

by:Filips
ID: 11863243
I guess the application get a request from xxx.xxx.xxx.81:24999 because of the PREROUTING and so answers to that same address (not to localhost).
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 125 total points
ID: 11865066
ok you need somthing like:
iptables     -I FORWARD 1  -i eth0 -p tcp -d xxx.xxx.xxx.82 --dport 24999 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.81 --dport 443 -j DNAT --to xxx.xxx.xxx.82:24999

0
 
LVL 6

Author Comment

by:Filips
ID: 11894798
I didn't manage to make a connection yet. Instead I tried it with webmin and it worked, that is, I can contact my server through port 443 and do most of the tasks I want to do.

Thanks
Filips
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video discusses moving either the default database or any database to a new volume.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now