tcp proxy with one nic, redirect traffic to other IP

RattleSn@ke · 03-05-2009, 09:53 AM

Hi All,

I have the following situation:

[HOST_A]:TCP to port6060 --> eth0-[HOST_B]-eth0 --> [HOST_C]

IP HOST_C = zz.zz.zz.zz (can be any host on the internet)
IP HOST_B = xx.xx.xx.xx
IP HOST_C = yy.yy.yy.yy

I need to redirect incoming traffic on HOST_B on eg. port 6060 to HOST_C port 80. This because on HOST_C only traffic on port 80 is allowed from configured IP Addresses.

So my goal is to have another host connecting to port 6060 on HOST_B, which in turn redirects that traffic to HOST_C so HOST_C thinks the traffic is coming from HOST_B.

The rules I found on the internet are:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80
iptables -t nat -A POSTROUTING -p tcp --dst yy.yy.yy.yy --dport 80 -j SNAT --to xx.xx.xx.xx
iptables -t nat -A OUTPUT --dst xx.xx.xx.xx -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80

But it doesn't work completely. If on HOST_B I telnet localhost 6060 my traffic is redirected to HOST_C, but from the outside, telnet xx.xx.xx.xx 6060 my traffic is not being redirected.

Someone any ideas? I enabled IPv4 forwarding

Hope that someone can point me into the right direction.

Thanks!
Onno.

[EDIT]
Ok, more strange things: When I run "tcpdump host zz.zz.zz.zz and host yy.yy.yy.yy" it suddenly works!! So tcpdump does 'something', because when I stop tcpdump, the whole thing stops working and my traffic stops being redirected. Below some output from tcpdump:

Code:

-bash-3.2# tcpdump host [HOST_A] or host [HOST_C]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
19:31:05.463761 IP [HOST_A].54276 > [HOST_B].6060: S 1370221981:1370221981(0) win 16384 <mss 1460,nop,nop,sackOK>
19:31:05.464267 IP [HOST_B].54276 > [HOST_C].http: S 1370221981:1370221981(0) win 16384 <mss 1460,nop,nop,sackOK>
19:31:05.464338 IP [HOST_C].http > [HOST_B].54276: S 1940932723:1940932723(0) ack 1370221982 win 65535 <mss 1460,sackOK,eol>
19:31:05.464345 IP [HOST_B].6060 > [HOST_A].54276: S 1940932723:1940932723(0) ack 1370221982 win 65535 <mss 1460,sackOK,eol>
19:31:05.495415 IP [HOST_A].54276 > [HOST_B].6060: . ack 1 win 17520
19:31:05.495427 IP [HOST_B].54276 > [HOST_C].http: . ack 1 win 17520
19:31:13.571384 IP [HOST_A].54276 > [HOST_B].6060: P 1:2(1) ack 1 win 17520
19:31:13.571401 IP [HOST_B].54276 > [HOST_C].http: P 1:2(1) ack 1 win 17520
19:31:13.671615 IP [HOST_C].http > [HOST_B].54276: . ack 2 win 65535
19:31:13.671628 IP [HOST_B].6060 > [HOST_A].54276: . ack 2 win 65535
19:31:13.905020 IP [HOST_A].54276 > [HOST_B].6060: P 2:5(3) ack 1 win 17520
19:31:13.905033 IP [HOST_B].54276 > [HOST_C].http: P 2:5(3) ack 1 win 17520
19:31:14.004616 IP [HOST_C].http > [HOST_B].54276: . ack 5 win 65535
19:31:14.004627 IP [HOST_B].6060 > [HOST_A].54276: . ack 5 win 65535
19:31:14.935235 IP [HOST_A].54276 > [HOST_B].6060: P 5:7(2) ack 1 win 17520
19:31:14.935246 IP [HOST_B].54276 > [HOST_C].http: P 5:7(2) ack 1 win 17520
19:31:14.937750 IP [HOST_C].http > [HOST_B].54276: P 1:308(307) ack 7 win 65535
19:31:14.937762 IP [HOST_B].6060 > [HOST_A].54276: P 1:308(307) ack 7 win 65535
19:31:14.938051 IP [HOST_C].http > [HOST_B].54276: F 308:308(0) ack 7 win 65535
19:31:14.938061 IP [HOST_B].6060 > [HOST_A].54276: F 308:308(0) ack 7 win 65535
19:31:14.969568 IP [HOST_A].54276 > [HOST_B].6060: . ack 309 win 17213
19:31:14.969579 IP [HOST_B].54276 > [HOST_C].http: . ack 309 win 17213
19:31:14.971522 IP [HOST_A].54276 > [HOST_B].6060: F 7:7(0) ack 309 win 17213
19:31:14.971533 IP [HOST_B].54276 > [HOST_C].http: F 7:7(0) ack 309 win 17213
19:31:14.972041 IP [HOST_C].http > [HOST_B].54276: . ack 8 win 65534
19:31:14.972056 IP [HOST_B].6060 > [HOST_A].54276: . ack 8 win 65534

rossonieri#1 · 03-07-2009, 09:27 PM

hi snake,

Quote:

The rules I found on the internet are:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80
iptables -t nat -A POSTROUTING -p tcp --dst yy.yy.yy.yy --dport 80 -j SNAT --to xx.xx.xx.xx[
iptables -t nat -A OUTPUT --dst xx.xx.xx.xx -p tcp --dport 6060 -j DNAT --to yy.yy.yy.yy:80

i think you should be more specific using the 2nd and 3rd rule since you did not specify which interface should handle/process the rule to which direction.

Quote:

But it doesn't work completely. If on HOST_B I telnet localhost 6060 my traffic is redirected to HOST_C, but from the outside, telnet xx.xx.xx.xx 6060 my traffic is not being redirected.

exactly. that is because your POSTROUTING/OUTPUT chain look pretty messy (no offense).
optionally - you dont need the 2nd and 3rd rule if you dont use somekind of NAT.

HTH.

RattleSn@ke · 03-09-2009, 05:44 AM

Quote:

Originally Posted by rossonieri#1

hi snake,

i think you should be more specific using the 2nd and 3rd rule since you did not specify which interface should handle/process the rule to which direction.

exactly. that is because your POSTROUTING/OUTPUT chain look pretty messy (no offense).
optionally - you dont need the 2nd and 3rd rule if you dont use somekind of NAT.

HTH.

Dear HTH,

No offense taken. ;o) And thank you for your reply.

I changed the rules:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 6060 -j DNAT --to-destination [HOST_C]:80
iptables -t nat -A POSTROUTING -d [HOST_C] -p tcp -m tcp --dport 80 -j SNAT --to-source [HOST_B]
iptables -t nat -A OUTPUT -o eth0 -d [HOST_B] -p tcp -m tcp --dport 6060 -j DNAT --to-destination [HOST_C]:80

but this breaks everything, even now when I do a telnet [HOST_B] 6060 while I'm on [HOST_B], it failed. If I add the rules without specifying an interface, it works while you're at [HOST_B]

I hope you have any ideas left. My only goal with this is to have people (let name that host_a) connect to port 6060 on host_b, then host_b has to redirect (and masquerade) that traffic to host_c on port 80 so that host_c thinks that the traffic is coming from host_b, and sends it's replies back to host_b, which in turn redirects it back to host_a. I tried this using squid, but that failed to work properly. PLEASE NOTE: Traffic enters host_b on eth0 and exits eth0 to host_c

Thanks again.
Onno.

rossonieri#1 · 03-09-2009, 07:34 AM

hi onno,

ok - let me draw a little picture for you

Code:

I have the following situation:

[HOST_A]:TCP to port6060 --> eth0-[HOST_B]-eth0 --> [HOST_C]

IP HOST_C = zz.zz.zz.zz (can be any host on the internet)
IP HOST_B = xx.xx.xx.xx
IP HOST_C = yy.yy.yy.yy

there are nothing wrong with your previous iptables rules actually - you dont need to change anything except like i said before - it only needs to be more specific on which interface should handle the process.
[edit]
and that you have host_C - so which one is A?
[/edit]