Solved

iptables REDIRECT --to-ports range

Posted on 2007-04-11
7
5,729 Views
Last Modified: 2008-01-09
I have this rule
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 1234 -j REDIRECT --to-ports 12345-12347

There's actually two Qs
- it suppose to redirect connections to 3 different ports 12345 12347 12347, however my serwer seems to ignore the last port 12347 - no connection is redirected there. Any ideas?
- if new connections arrives, how is determined destination port for this new connection? round-robin, least-occupied, firt-that-connects, etc. ?

Linux server 2.6.19-1.2911.fc6PAE #1 SMP Sat Feb 10 15:16:17 EST 2007 i686 athlon i386 GNU/Linux

Some document references please. No IMHO please.
0
Comment
Question by:ravenpl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 18906944
Hi Ravenpl,

Can you please check to see what the filter layout says about why it's not working with:

iptables -L -vn


and

iptables -L -vn -t nat


And also check the PREROUTE rule to be sure you have the real IP addresses being prepended. That is to say if PREROUTE were'nt enacted, you'ld need a rule that looks like:

-j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347

I think it just hooks on the first available port. I don't know of any mechanism that allows round robin here, although you may be able to build that out.
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18908386
> -j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347
this above is invalid.

I found that it's simply bug. And in fact only first port is beeing choosen everytime.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18908848
To accomplish this I typically use a mirror port.
Are you perhaps working through a managed switch?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Author Comment

by:ravenpl
ID: 18909771
No, it's not managed switch. And I don't think mirror port is suitable for me.
My goal is to distribute connections to various local tcp/ports.
I workarounded this, but was wandering why --to-ports is not working.
0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18909855
ravenpl, hello.

What about pure facts. I've got sources of kernel 2.6.19.7 and iptables 1.3.7 and digged into netfilter sources (not much, but enougth to understand). Iptables only parses your command line, and setup max.tcp.port and min.tcp.port for your rule and it also assigns a flag
IP_NAT_RANGE_PROTO_SPECIFIED. Everything else is done inside kernel (all related files are in net/ipv4/netfilter/ subdirectory of kernel sources)

When packet is checked and satisfies your -j REDIRECT rule, we go there:
1) File ipt_REDIRECT.c,  function redirect_target()

I see that 'max' and 'min' (that we passed to iptables) are preserved here (that's good):

/* Transfer from original range. */
newrange = ((struct ip_nat_range) { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,  newdst, newdst,  mr->range[0].min, mr->range[0].max });

What is impotent in this function: return ip_nat_setup_info(ct, &newrange, hooknum);

2) File ip_nat_core.c, function ip_nat_setup_info()
What is impotent, call to: get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype);

3) File ip_nat_core.c, function get_unique_tuple()
I see here:
/* Only bother mapping if it's not already in range and unique */
        if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
             || proto->in_range(tuple, maniptype, &range->min, &range->max))
            && !ip_nat_used_tuple(tuple, conntrack)) {
                ip_nat_proto_put(proto);
                return;
        }

We almost found the reason: proto->in_range(tuple, maniptype, &range->min, &range->max)
This function checks if original's packet destination port IS already in range 'min-max' and returns (without changing destination ports if yes). If NOT, we proceed with this code:
/* Last change: get protocol to try to obtain unique tuple. */
        proto->unique_tuple(tuple, range, maniptype, conntrack);

3) File ip_nat_proto_tcp.c function tcp_unique_tuple()
You may look to this function, it's quiet small and self describing.
That's an algorithm of choosing new port:
for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack)) {
                        return 1;
                }
        }

Here 'port' is a local static variable (it increased by one for each new connection and keeps value), so we should have round robin behaviour for each new connection.

What I suggest, why your rule is not working, is a tcp destination port of original packet within the destination range, not as in your very first example, but something like:

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 12345 -j REDIRECT --to-ports 12345-12347
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18925596
Thanx Nopius, I did such investigation as well. Unfortunatelly misunderstood it.
Filled http://bugzilla.kernel.org/show_bug.cgi?id=8325, which should answer everything.
Indeed it alwas chooses first port, unless it can't (maybe other rule conflicts with this one).
Since not really answered, B only.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18928146
ravenpl. thank you for points. I don't have Linux locally to patch and test kernel, only sources... If this feature is impotent for you, It would be helpful to insert some printk() statements in netfilter code and see what really happens... From just viewing sources I may miss something impotent...

0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question