Solved

iptables REDIRECT --to-ports range

Posted on 2007-04-11
7
5,706 Views
Last Modified: 2008-01-09
I have this rule
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 1234 -j REDIRECT --to-ports 12345-12347

There's actually two Qs
- it suppose to redirect connections to 3 different ports 12345 12347 12347, however my serwer seems to ignore the last port 12347 - no connection is redirected there. Any ideas?
- if new connections arrives, how is determined destination port for this new connection? round-robin, least-occupied, firt-that-connects, etc. ?

Linux server 2.6.19-1.2911.fc6PAE #1 SMP Sat Feb 10 15:16:17 EST 2007 i686 athlon i386 GNU/Linux

Some document references please. No IMHO please.
0
Comment
Question by:ravenpl
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:kblack05
ID: 18906944
Hi Ravenpl,

Can you please check to see what the filter layout says about why it's not working with:

iptables -L -vn


and

iptables -L -vn -t nat


And also check the PREROUTE rule to be sure you have the real IP addresses being prepended. That is to say if PREROUTE were'nt enacted, you'ld need a rule that looks like:

-j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347

I think it just hooks on the first available port. I don't know of any mechanism that allows round robin here, although you may be able to build that out.
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18908386
> -j REDIRECT --to-ports 192.168.1.1:12345 192.168.1.1:12346 192.168.1.1:12347
this above is invalid.

I found that it's simply bug. And in fact only first port is beeing choosen everytime.
0
 
LVL 11

Expert Comment

by:kblack05
ID: 18908848
To accomplish this I typically use a mirror port.
Are you perhaps working through a managed switch?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 43

Author Comment

by:ravenpl
ID: 18909771
No, it's not managed switch. And I don't think mirror port is suitable for me.
My goal is to distribute connections to various local tcp/ports.
I workarounded this, but was wandering why --to-ports is not working.
0
 
LVL 27

Accepted Solution

by:
Nopius earned 500 total points
ID: 18909855
ravenpl, hello.

What about pure facts. I've got sources of kernel 2.6.19.7 and iptables 1.3.7 and digged into netfilter sources (not much, but enougth to understand). Iptables only parses your command line, and setup max.tcp.port and min.tcp.port for your rule and it also assigns a flag
IP_NAT_RANGE_PROTO_SPECIFIED. Everything else is done inside kernel (all related files are in net/ipv4/netfilter/ subdirectory of kernel sources)

When packet is checked and satisfies your -j REDIRECT rule, we go there:
1) File ipt_REDIRECT.c,  function redirect_target()

I see that 'max' and 'min' (that we passed to iptables) are preserved here (that's good):

/* Transfer from original range. */
newrange = ((struct ip_nat_range) { mr->range[0].flags | IP_NAT_RANGE_MAP_IPS,  newdst, newdst,  mr->range[0].min, mr->range[0].max });

What is impotent in this function: return ip_nat_setup_info(ct, &newrange, hooknum);

2) File ip_nat_core.c, function ip_nat_setup_info()
What is impotent, call to: get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype);

3) File ip_nat_core.c, function get_unique_tuple()
I see here:
/* Only bother mapping if it's not already in range and unique */
        if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
             || proto->in_range(tuple, maniptype, &range->min, &range->max))
            && !ip_nat_used_tuple(tuple, conntrack)) {
                ip_nat_proto_put(proto);
                return;
        }

We almost found the reason: proto->in_range(tuple, maniptype, &range->min, &range->max)
This function checks if original's packet destination port IS already in range 'min-max' and returns (without changing destination ports if yes). If NOT, we proceed with this code:
/* Last change: get protocol to try to obtain unique tuple. */
        proto->unique_tuple(tuple, range, maniptype, conntrack);

3) File ip_nat_proto_tcp.c function tcp_unique_tuple()
You may look to this function, it's quiet small and self describing.
That's an algorithm of choosing new port:
for (i = 0; i < range_size; i++, port++) {
                *portptr = htons(min + port % range_size);
                if (!ip_nat_used_tuple(tuple, conntrack)) {
                        return 1;
                }
        }

Here 'port' is a local static variable (it increased by one for each new connection and keeps value), so we should have round robin behaviour for each new connection.

What I suggest, why your rule is not working, is a tcp destination port of original packet within the destination range, not as in your very first example, but something like:

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 12345 -j REDIRECT --to-ports 12345-12347
0
 
LVL 43

Author Comment

by:ravenpl
ID: 18925596
Thanx Nopius, I did such investigation as well. Unfortunatelly misunderstood it.
Filled http://bugzilla.kernel.org/show_bug.cgi?id=8325, which should answer everything.
Indeed it alwas chooses first port, unless it can't (maybe other rule conflicts with this one).
Since not really answered, B only.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 18928146
ravenpl. thank you for points. I don't have Linux locally to patch and test kernel, only sources... If this feature is impotent for you, It would be helpful to insert some printk() statements in netfilter code and see what really happens... From just viewing sources I may miss something impotent...

0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now