LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 11-10-2010, 05:44 PM   #1
wischad
LQ Newbie
 
Registered: Apr 2009
Location: Madison, WI
Distribution: Red Hat, CentOS, SUSE
Posts: 21

Rep: Reputation: 1
iptables nat prerouting redirect issue - rhel 5.5 64-bit


Wanted to see if anyone else has ever come across this. I have an ftp server running on RHEL 5.5 64-bit. I have the ftp daemon running as a non-privileged user so since it cannot bind to ports less than 1024, I'm having the daemon listen on higher ports and using iptables to redirect the traffic accordingly.

I'm logging all the denied traffic and noticing that a small percentage of the packets are not getting redirected properly. For example, I'm redirecting 443 traffic to 8443 and have a rule to allow 8443 in the filter table. While an upload is running, I see about 1 packet per second that doesn't get redirected and shows up in the filter table as 443 and is subsequently getting denied. Even if the traffic is allowed through in the filter table, the OS is not listening on that port and the ACK packet that was sent gets a RST packet back. It does not appear to impact the clients though and the daemon logs are not complaining.

Anyone see this redirect problem before?

Chad
 
Old 11-12-2010, 08:29 AM   #2
wischad
LQ Newbie
 
Registered: Apr 2009
Location: Madison, WI
Distribution: Red Hat, CentOS, SUSE
Posts: 21

Original Poster
Rep: Reputation: 1
We did a sniffer trace yesterday and I'm having our network guys take a look at it. Here's the current config - iptables was set to redirect the following and accept all packets and log everything:

[root@madfdcvftppx01 ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:ftp redir ports 2121
REDIRECT tcp -- anywhere anywhere tcp dpt:ssh redir ports 2222
REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443
REDIRECT tcp -- anywhere anywhere tcp dpt:ftps redir ports 3333

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Here's what we see in the logs:

Nov 10 09:41:09 madfdcvftppx01 kernel: IN= OUT=eth0 SRC=<Server> DST=<Workstation> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=47358 DF PROTO=TCP SPT=8443 DPT=3085 WINDOW=8576 RES=0x00 ACK FIN URGP=0
Nov 10 09:41:09 madfdcvftppx01 kernel: IN=eth0 OUT= MAC=00:50:56:ba:0a:a6:00:21:d8:0d:61:80:08:00 SRC=<Workstation> DST=<Server> LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=12597 DF PROTO=TCP SPT=3085 DPT=8443 WINDOW=63584 RES=0x00 ACK URGP=0
Nov 10 09:41:09 madfdcvftppx01 kernel: IN=eth0 OUT= MAC=00:50:56:ba:0a:a6:00:21:d8:0d:61:80:08:00 SRC=<Workstation> DST=<Server> LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=12598 DF PROTO=TCP SPT=3085 DPT=443 WINDOW=63584 RES=0x00 ACK URGP=0
Nov 10 09:41:09 madfdcvftppx01 kernel: IN= OUT=eth0 SRC=<Server> DST=<Workstation> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=443 DPT=3085 WINDOW=0 RES=0x00 RST URGP=0
Nov 10 09:41:09 madfdcvftppx01 kernel: IN=eth0 OUT= MAC=00:50:56:ba:0a:a6:00:21:d8:0d:61:80:08:00 SRC=<Workstation> DST=<Server> LEN=40 TOS=0x00 PREC=0x00 TTL=126 ID=12599 DF PROTO=TCP SPT=3085 DPT=8443 WINDOW=63561 RES=0x00 ACK URGP=0
Nov 10 09:41:09 madfdcvftppx01 kernel: IN=eth0 OUT= MAC=00:50:56:ba:0a:a6:00:21:d8:0d:61:80:08:00 SRC=<Workstation> DST=<Server> LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=3085 DPT=8443 WINDOW=0 RES=0x00 ACK URGP=0

Anyone have any ideas? We shouldn't be seeing a 443 show up at all. The logging is in the filter table. The server sends back an RST because it is not listening on 443, it is listening on 8443.

Chad
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables PREROUTING , pswen Linux - Server 2 10-20-2010 03:37 AM
advantages and disadvantages of nat prerouting / postrouting? Teomari Linux - Networking 2 04-13-2007 08:28 PM
Iptables+prerouting niranjan_mr Linux - Networking 1 04-19-2005 12:23 PM
Nat Prerouting lambmt Linux - Networking 5 10-07-2003 08:17 PM
iptables NAT issue. onina Linux - Networking 1 02-26-2003 04:58 AM


All times are GMT -5. The time now is 09:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration