Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1102
  • Last Modified:

IPTables rerouting

Hi,

I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:

-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999

The problem is that when the application answers to localhost so I don't get a reply.

How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:

-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443

Who can help me?
Thanks in advance
Filips
0
Filips
Asked:
Filips
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
pablouruguayCommented:
try with this

iptables -A INPUT -i lo -j ACCEPT
0
 
de2ZotjesCommented:
The rules you want are these:

-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
0
 
FilipsAuthor Commented:
I tried it but I get this error:

[code=INVALID_TUNNEL_PORT] Tunneling is not allowed on this port. Contact your system administrator.

Any idea?
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
de2ZotjesCommented:
There is a service running on that port? (port 443 that is)
0
 
FilipsAuthor Commented:
I checked with netstat and no, on IP xxx.xxx.xxx82 port 443 is free (443 = https right?)
0
 
de2ZotjesCommented:
It must be some local condition of the system you are working on. I ran this command on my local box:

iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443

Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
0
 
FilipsAuthor Commented:
Nope, I'm root. The rule was acepted alright but it seems not to work. Is there any way to see some extra log info so I could trace the problem?
0
 
de2ZotjesCommented:
There is always the LOG target, you can stick that before the SNAT target rule. After a LOG jump parsing continues, so you get both matches :-)

Basically do this:
iptables -L -t nat --line-numbers
note what rule number the SNAT target rule is (=RNR)
then:
iptables -I POSTROUTING <RNR> -p tcp -s localhost --sport 24999 -j LOG

This will insert a rule with the same matching parameters, but a LOG target before the SNAT rule. There are a few parameters specific to LOG, most usable the --log-prefix. If you use that and give it a sufficiently unique prefix, it becomes trivial to grep the lines out of a big log-file.
BTW you need a running syslog and you need to store messages of level warning (or your up the level in iptables)

A next step could be to run tcpdump (or ethereal if you use X/GTK), either capture anything, or us a filter of (host xxx.xxx.xxx.82 && port 443)
0
 
ahoffmannCommented:
> The problem is that when the application answers to localhost so I don't get a reply.
why does it answer to localhost instead of the correct IP? Fix the application.
0
 
FilipsAuthor Commented:
I guess the application get a request from xxx.xxx.xxx.81:24999 because of the PREROUTING and so answers to that same address (not to localhost).
0
 
ahoffmannCommented:
ok you need somthing like:
iptables     -I FORWARD 1  -i eth0 -p tcp -d xxx.xxx.xxx.82 --dport 24999 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.81 --dport 443 -j DNAT --to xxx.xxx.xxx.82:24999

0
 
FilipsAuthor Commented:
I didn't manage to make a connection yet. Instead I tried it with webmin and it worked, that is, I can contact my server through port 443 and do most of the tasks I want to do.

Thanks
Filips
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now