LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-05-2009, 09:53 AM   #1
RattleSn@ke
Member
 
Registered: Oct 2007
Location: Netherlands, ZH
Posts: 32

Rep: Reputation: 15
tcp proxy with one nic, redirect traffic to other IP


Hi All,

I have the following situation:

[HOST_A]:TCP to port6060 --> eth0-[HOST_B]-eth0 --> [HOST_C]

IP HOST_C = zz.zz.zz.zz (can be any host on the internet)
IP HOST_B = xx.xx.xx.xx
IP HOST_C = yy.yy.yy.yy

I need to redirect incoming traffic on HOST_B on eg. port 6060 to HOST_C port 80. This because on HOST_C only traffic on port 80 is allowed from configured IP Addresses.

So my goal is to have another host connecting to port 6060 on HOST_B, which in turn redirects that traffic to HOST_C so HOST_C thinks the traffic is coming from HOST_B.

The rules I found on the internet are:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80
iptables -t nat -A POSTROUTING -p tcp --dst yy.yy.yy.yy --dport 80 -j SNAT --to xx.xx.xx.xx
iptables -t nat -A OUTPUT --dst xx.xx.xx.xx -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80

But it doesn't work completely. If on HOST_B I telnet localhost 6060 my traffic is redirected to HOST_C, but from the outside, telnet xx.xx.xx.xx 6060 my traffic is not being redirected.

Someone any ideas? I enabled IPv4 forwarding

Hope that someone can point me into the right direction.

Thanks!
Onno.

[EDIT]
Ok, more strange things: When I run "tcpdump host zz.zz.zz.zz and host yy.yy.yy.yy" it suddenly works!! So tcpdump does 'something', because when I stop tcpdump, the whole thing stops working and my traffic stops being redirected. Below some output from tcpdump:
Code:
-bash-3.2# tcpdump host [HOST_A] or host [HOST_C]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
19:31:05.463761 IP [HOST_A].54276 > [HOST_B].6060: S 1370221981:1370221981(0) win 16384 <mss 1460,nop,nop,sackOK>
19:31:05.464267 IP [HOST_B].54276 > [HOST_C].http: S 1370221981:1370221981(0) win 16384 <mss 1460,nop,nop,sackOK>
19:31:05.464338 IP [HOST_C].http > [HOST_B].54276: S 1940932723:1940932723(0) ack 1370221982 win 65535 <mss 1460,sackOK,eol>
19:31:05.464345 IP [HOST_B].6060 > [HOST_A].54276: S 1940932723:1940932723(0) ack 1370221982 win 65535 <mss 1460,sackOK,eol>
19:31:05.495415 IP [HOST_A].54276 > [HOST_B].6060: . ack 1 win 17520
19:31:05.495427 IP [HOST_B].54276 > [HOST_C].http: . ack 1 win 17520
19:31:13.571384 IP [HOST_A].54276 > [HOST_B].6060: P 1:2(1) ack 1 win 17520
19:31:13.571401 IP [HOST_B].54276 > [HOST_C].http: P 1:2(1) ack 1 win 17520
19:31:13.671615 IP [HOST_C].http > [HOST_B].54276: . ack 2 win 65535
19:31:13.671628 IP [HOST_B].6060 > [HOST_A].54276: . ack 2 win 65535
19:31:13.905020 IP [HOST_A].54276 > [HOST_B].6060: P 2:5(3) ack 1 win 17520
19:31:13.905033 IP [HOST_B].54276 > [HOST_C].http: P 2:5(3) ack 1 win 17520
19:31:14.004616 IP [HOST_C].http > [HOST_B].54276: . ack 5 win 65535
19:31:14.004627 IP [HOST_B].6060 > [HOST_A].54276: . ack 5 win 65535
19:31:14.935235 IP [HOST_A].54276 > [HOST_B].6060: P 5:7(2) ack 1 win 17520
19:31:14.935246 IP [HOST_B].54276 > [HOST_C].http: P 5:7(2) ack 1 win 17520
19:31:14.937750 IP [HOST_C].http > [HOST_B].54276: P 1:308(307) ack 7 win 65535
19:31:14.937762 IP [HOST_B].6060 > [HOST_A].54276: P 1:308(307) ack 7 win 65535
19:31:14.938051 IP [HOST_C].http > [HOST_B].54276: F 308:308(0) ack 7 win 65535
19:31:14.938061 IP [HOST_B].6060 > [HOST_A].54276: F 308:308(0) ack 7 win 65535
19:31:14.969568 IP [HOST_A].54276 > [HOST_B].6060: . ack 309 win 17213
19:31:14.969579 IP [HOST_B].54276 > [HOST_C].http: . ack 309 win 17213
19:31:14.971522 IP [HOST_A].54276 > [HOST_B].6060: F 7:7(0) ack 309 win 17213
19:31:14.971533 IP [HOST_B].54276 > [HOST_C].http: F 7:7(0) ack 309 win 17213
19:31:14.972041 IP [HOST_C].http > [HOST_B].54276: . ack 8 win 65534
19:31:14.972056 IP [HOST_B].6060 > [HOST_A].54276: . ack 8 win 65534

Last edited by RattleSn@ke; 03-05-2009 at 12:43 PM. Reason: extra info
 
Old 03-07-2009, 09:27 PM   #2
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi snake,

Quote:
The rules I found on the internet are:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80
iptables -t nat -A POSTROUTING -p tcp --dst yy.yy.yy.yy --dport 80 -j SNAT --to xx.xx.xx.xx[
iptables -t nat -A OUTPUT --dst xx.xx.xx.xx -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80
i think you should be more specific using the 2nd and 3rd rule since you did not specify which interface should handle/process the rule to which direction.

Quote:
But it doesn't work completely. If on HOST_B I telnet localhost 6060 my traffic is redirected to HOST_C, but from the outside, telnet xx.xx.xx.xx 6060 my traffic is not being redirected.
exactly. that is because your POSTROUTING/OUTPUT chain look pretty messy (no offense).
optionally - you dont need the 2nd and 3rd rule if you dont use somekind of NAT.

HTH.
 
Old 03-09-2009, 05:44 AM   #3
RattleSn@ke
Member
 
Registered: Oct 2007
Location: Netherlands, ZH
Posts: 32

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rossonieri#1 View Post
hi snake,



i think you should be more specific using the 2nd and 3rd rule since you did not specify which interface should handle/process the rule to which direction.



exactly. that is because your POSTROUTING/OUTPUT chain look pretty messy (no offense).
optionally - you dont need the 2nd and 3rd rule if you dont use somekind of NAT.

HTH.
Dear HTH,

No offense taken. ;o) And thank you for your reply.

I changed the rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 6060 -j DNAT --to-destination [HOST_C]:80
iptables -t nat -A POSTROUTING -d [HOST_C] -p tcp -m tcp --dport 80 -j SNAT --to-source [HOST_B]
iptables -t nat -A OUTPUT -o eth0 -d [HOST_B] -p tcp -m tcp --dport 6060 -j DNAT --to-destination [HOST_C]:80

but this breaks everything, even now when I do a telnet [HOST_B] 6060 while I'm on [HOST_B], it failed. If I add the rules without specifying an interface, it works while you're at [HOST_B]

I hope you have any ideas left. My only goal with this is to have people (let name that host_a) connect to port 6060 on host_b, then host_b has to redirect (and masquerade) that traffic to host_c on port 80 so that host_c thinks that the traffic is coming from host_b, and sends it's replies back to host_b, which in turn redirects it back to host_a. I tried this using squid, but that failed to work properly. PLEASE NOTE: Traffic enters host_b on eth0 and exits eth0 to host_c

Thanks again.
Onno.

Last edited by RattleSn@ke; 03-09-2009 at 06:02 AM. Reason: xtra info.
 
Old 03-09-2009, 07:34 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hi onno,

ok - let me draw a little picture for you

Code:
I have the following situation:

[HOST_A]:TCP to port6060 --> eth0-[HOST_B]-eth0 --> [HOST_C]

IP HOST_C = zz.zz.zz.zz (can be any host on the internet)
IP HOST_B = xx.xx.xx.xx
IP HOST_C = yy.yy.yy.yy
there are nothing wrong with your previous iptables rules actually - you dont need to change anything except like i said before - it only needs to be more specific on which interface should handle the process.
[edit]
and that you have host_C - so which one is A?
[/edit]

Last edited by rossonieri#1; 03-09-2009 at 07:49 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
All traffic showed as proxy after installing nginx proxy to apache centosfan Linux - Server 0 10-25-2008 08:41 AM
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
Howto make a proxy for redirect all traffic gixbie Linux - Newbie 4 12-05-2007 09:04 AM
redirect traffic tim_24 Linux - Networking 4 05-27-2007 11:39 PM
Traffic redirect friki Linux - Software 2 11-04-2004 04:59 PM


All times are GMT -5. The time now is 01:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration