We help IT Professionals succeed at work.
Get Started

iptables: port rerouting with transparent proxy rules does not work

real_icecoke
real_icecoke asked
on
1,335 Views
Last Modified: 2012-06-27
Hi,
I have to reroute incoming traffic from 10.0.0.1 on port 110 to another machine 10.0.0.2 without losing the source IP, so SNAT is not an option.
I tried to setup iptables as a transparent proxy with MARK rules but it does not work. Hee are some details:

setup for iptables and routing:
modprobe iptable_mangle
iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -d 10.0.0.1 --dport 110
ip rule add fwmark 3 table 2
ip route add default via 10.0.0.2 dev eth0 table 2

no other rules are active:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination



The marking of the specified packet seems to work:
# iptables -t mangle -L -vv
Chain PREROUTING (policy ACCEPT 987K packets, 691M bytes)
 pkts bytes target     prot opt in     out     source               destination
   29  1301 MARK       tcp  --  any    any     anywhere             10.0.0.1 tcp dpt:pop3 MARK set 0x3

Chain INPUT (policy ACCEPT 987K packets, 691M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 222 packets, 12580 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 838K packets, 723M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 838K packets, 723M bytes)
 pkts bytes target     prot opt in     out     source               destination
libiptc v1.4.1.1. 1112 bytes.
Table `mangle'
Hooks: pre/in/fwd/out/post = 0/344/492/640/788
Underflows: pre/in/fwd/out/post = 196/344/492/640/788
Entry 0 (0):
SRC IP: 0.0.0.0/0.0.0.0
DST IP: 10.0.0.1/255.255.255.255
Interface: `'/................to `'/................
Protocol: 6
Flags: 00
Invflags: 00
Counters: 29 packets, 1301 bytes
Cache: 00000000
Match name: `tcp'
Target name: `MARK' [40]
.
.
.

If I connect to port 110 the counter will increase the count for packets and bytes.


The rule for marked packets:
# ip rule show
0:      from all lookup local
32765:  from all fwmark 0x3 lookup 2
32766:  from all lookup main
32767:  from all lookup default

the special default route for marked packets:
# ip route show dev eth0 table 2
default via 10.0.0.2

some /proc details:
# cat /proc/sys/net/ipv4/ip_forward
1
# ll /proc/sys/net/ipv4/conf/*/rp_filter
-rw-r--r--    1 root     root            0 12. Sep 11:19 /proc/sys/net/ipv4/conf/all/rp_filter
-rw-r--r--    1 root     root            0 12. Sep 11:19 /proc/sys/net/ipv4/conf/default/rp_filter
-rw-r--r--    1 root     root            0 12. Sep 11:19 /proc/sys/net/ipv4/conf/eth0/rp_filter
-rw-r--r--    1 root     root            0 12. Sep 11:19 /proc/sys/net/ipv4/conf/lo/rp_filter
# cat /proc/sys/net/ipv4/conf/*/rp_filter
0
0
0
0



The rerouting simply does not work. A connection to port 110 on machine 10.0.0.1 will sitll processed locally and no packet will leave the machine. The rule for routing marked packets is ignored. The kernel (2.6.16) is compiled regarding

http://tldp.org/HOWTO/TransparentProxy-3.html


I think there must be someting wrong in /proc so rerouting is prevented.

Many thanks in advance to all experts out there!

icecoke








Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 15 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE