Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iptables REDIRECT --to-ports range

Posted on 2007-04-11
7
Medium Priority
?
5,742 Views
Last Modified: 2008-01-09
I have this rule
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 1234 -j REDIRECT --to-ports 12345-12347

There's actually two Qs
- it suppose to redirect connections to 3 different ports 12345 12347 12347, however my serwer seems to ignore the last port 12347 - no connection is redirected there. Any ideas?
- if new connections arrives, how is determined destination port for this new connection? round-robin, least-occupied, firt-that-connects, etc. ?

Linux server 2.6.19-1.2911.fc6PAE #1 SMP Sat Feb 10 15:16:17 EST 2007 i686 athlon i386 GNU/Linux

Some document references please. No IMHO please.
0
Comment
Question by:ravenpl
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 18906944
Hi Ravenpl,

Can you please check to see what the filter layout says about why it's not working with:

iptables -L -vn


and

iptables -L -vn -t nat


And also check the PREROUTE rule to be sure you have the real IP addresses being prepended. That is to say if PREROUTE were'nt enacted, you'ld need a rule that looks like:

-j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347

I think it just hooks on the first available port. I don't know of any mechanism that allows round robin here, although you may be able to build that out.
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18908386
> -j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347
this above is invalid.

I found that it's simply bug. And in fact only first port is beeing choosen everytime.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18908848
To accomplish this I typically use a mirror port.
Are you perhaps working through a managed switch?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 43

Author Comment

by:ravenpl
ID: 18909771
No, it's not managed switch. And I don't think mirror port is suitable for me.
My goal is to distribute connections to various local tcp/ports.
I workarounded this, but was wandering why --to-ports is not working.
0
 
LVL 27

Accepted Solution

by:
Nopius earned 1500 total points
ID: 18909855
ravenpl, hello.

What about pure facts. I've got sources of kernel 2.6.19.7 and iptables 1.3.7 and digged into netfilter sources (not much, but enougth to understand). Iptables only parses your command line, and setup max.tcp.port and min.tcp.port for your rule and it also assigns a flag
IP_NAT_RANGE_PROTO_SPECIFIED. Everything else is done inside kernel (all related files are in net/ipv4/netfilter/ subdirectory of kernel sources)

When packet is checked and satisfies your -j REDIRECT rule, we go there:
1) File ipt_REDIRECT.c,  function redirect_target()

I see that 'max' and 'min' (that we passed to iptables) are preserved here (that's good):

/* Transfer from original range. */
newrange = ((struct ip_nat_range) { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,  newdst, newdst,  mr->range[0].min, mr->range[0].max });

What is impotent in this function: return ip_nat_setup_info(ct, &newrange, hooknum);

2) File ip_nat_core.c, function ip_nat_setup_info()
What is impotent, call to: get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype);

3) File ip_nat_core.c, function get_unique_tuple()
I see here:
/* Only bother mapping if it's not already in range and unique */
        if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
             || proto->in_range(tuple, maniptype, &range->min, &range->max))
            && !ip_nat_used_tuple(tuple, conntrack)) {
                ip_nat_proto_put(proto);
                return;
        }

We almost found the reason: proto->in_range(tuple, maniptype, &range->min, &range->max)
This function checks if original's packet destination port IS already in range 'min-max' and returns (without changing destination ports if yes). If NOT, we proceed with this code:
/* Last change: get protocol to try to obtain unique tuple. */
        proto->unique_tuple(tuple, range, maniptype, conntrack);

3) File ip_nat_proto_tcp.c function tcp_unique_tuple()
You may look to this function, it's quiet small and self describing.
That's an algorithm of choosing new port:
for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack)) {
                        return 1;
                }
        }

Here 'port' is a local static variable (it increased by one for each new connection and keeps value), so we should have round robin behaviour for each new connection.

What I suggest, why your rule is not working, is a tcp destination port of original packet within the destination range, not as in your very first example, but something like:

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 12345 -j REDIRECT --to-ports 12345-12347
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18925596
Thanx Nopius, I did such investigation as well. Unfortunatelly misunderstood it.
Filled http://bugzilla.kernel.org/show_bug.cgi?id=8325, which should answer everything.
Indeed it alwas chooses first port, unless it can't (maybe other rule conflicts with this one).
Since not really answered, B only.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18928146
ravenpl. thank you for points. I don't have Linux locally to patch and test kernel, only sources... If this feature is impotent for you, It would be helpful to insert some printk() statements in netfilter code and see what really happens... From just viewing sources I may miss something impotent...

0

Featured Post

Quick Start: DOCKER

Sometimes you just need a Quick Start on a topic in order to begin using it.. this is just what you need to know to get up and running with Docker!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question