• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1162
  • Last Modified:

IPTables rerouting

Hi,

I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:

-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999

The problem is that when the application answers to localhost so I don't get a reply.

How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:

-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443

Who can help me?
Thanks in advance
Filips
0
Filips
Asked:
Filips
  • 5
  • 4
  • 2
  • +1
2 Solutions
 
pablouruguayCommented:
try with this

iptables -A INPUT -i lo -j ACCEPT
0
 
de2ZotjesCommented:
The rules you want are these:

-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
0
 
FilipsFreelancerAuthor Commented:
I tried it but I get this error:

[code=INVALID_TUNNEL_PORT] Tunneling is not allowed on this port. Contact your system administrator.

Any idea?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
de2ZotjesCommented:
There is a service running on that port? (port 443 that is)
0
 
FilipsFreelancerAuthor Commented:
I checked with netstat and no, on IP xxx.xxx.xxx82 port 443 is free (443 = https right?)
0
 
de2ZotjesCommented:
It must be some local condition of the system you are working on. I ran this command on my local box:

iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443

Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
0
 
FilipsFreelancerAuthor Commented:
Nope, I'm root. The rule was acepted alright but it seems not to work. Is there any way to see some extra log info so I could trace the problem?
0
 
de2ZotjesCommented:
There is always the LOG target, you can stick that before the SNAT target rule. After a LOG jump parsing continues, so you get both matches :-)

Basically do this:
iptables -L -t nat --line-numbers
note what rule number the SNAT target rule is (=RNR)
then:
iptables -I POSTROUTING <RNR> -p tcp -s localhost --sport 24999 -j LOG

This will insert a rule with the same matching parameters, but a LOG target before the SNAT rule. There are a few parameters specific to LOG, most usable the --log-prefix. If you use that and give it a sufficiently unique prefix, it becomes trivial to grep the lines out of a big log-file.
BTW you need a running syslog and you need to store messages of level warning (or your up the level in iptables)

A next step could be to run tcpdump (or ethereal if you use X/GTK), either capture anything, or us a filter of (host xxx.xxx.xxx.82 && port 443)
0
 
ahoffmannCommented:
> The problem is that when the application answers to localhost so I don't get a reply.
why does it answer to localhost instead of the correct IP? Fix the application.
0
 
FilipsFreelancerAuthor Commented:
I guess the application get a request from xxx.xxx.xxx.81:24999 because of the PREROUTING and so answers to that same address (not to localhost).
0
 
ahoffmannCommented:
ok you need somthing like:
iptables     -I FORWARD 1  -i eth0 -p tcp -d xxx.xxx.xxx.82 --dport 24999 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.81 --dport 443 -j DNAT --to xxx.xxx.xxx.82:24999

0
 
FilipsFreelancerAuthor Commented:
I didn't manage to make a connection yet. Instead I tried it with webmin and it worked, that is, I can contact my server through port 443 and do most of the tasks I want to do.

Thanks
Filips
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now