IPtables redirect 127.0.0.1 to 192.168.1.113

nickname.random · 07-08-2010, 11:12 PM

Hi to the forums wizards!

On my Debian 5 system, I'm trying to redirect the TCP traffic directed towards the 127.0.0.1:5432 address (local PostgreSQL daemon) to the 192.168.1.113:5432 (LAN PostgreSQL server).

Any idea on how to achieve this result with iptables?

2HeartLinuxIs2BGeek · 07-09-2010, 02:20 AM

I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432

Try it and see how you go.

/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113

SuperJediWombat! · 07-09-2010, 03:19 AM

You cannot redirect loopback traffic with iptables.

nickname.random · 07-09-2010, 10:13 AM

Quote:

Originally Posted by 2HeartLinuxIs2BGeek

I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432

Try it and see how you go.

/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113

Thanks for the answer, but I already have tried that solution and it doesn't work.

The problem is on the localhost traffic.

nickname.random · 07-09-2010, 10:30 AM

Quote:

Originally Posted by SuperJediWombat!

You cannot redirect loopback traffic with iptables.

This is the answer I came after a day of testing and ircing on the #Netfilter and #debian channel.

These are the workarounds I came:

Code:

ssh localhost -L ${local_port}:${remote_host}:${remote_port}
# or
ssh ${user}@${remote_host} -L ${local_port}:localhost:${remote_port}
# or
ssh localhost -L ${local_port}:${remote_host}:${remote_port} sleep 10; 
${local_command_using_tunnel}
# or
socat TCP4-LISTEN:${local_port} TCP4:${remote_host}:${remote_port}

Everyone has a workaround, but no one is able to explain me why it is not possible with iptables to redirect the localhost traffic.

For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?

references:
http://lists.debian.org/debian-user/.../msg00542.html
http://lists.debian.org/debian-itali.../msg00148.html
http://lists.debian.org/debian-itali.../msg00170.html

SuperJediWombat! · 07-10-2010, 02:28 AM

Quote:

Originally Posted by SuperJediWombat!

The PREROUTING chain is only for traffic coming into the netfilter system.
Localy generated traffic goes to OUTPUT rather than PREROUTING.

However, loopback traffic (127.0.0.0/8) skips both chains...

In short, you can not DNAT loopback traffic.

http://www.linuxquestions.org/questi...arding-812313/

SuperJediWombat! · 07-10-2010, 02:58 AM

I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.

nimnull22 · 07-10-2010, 03:24 AM

Quote:

Originally Posted by nickname.random

For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?

Code:

REDIRECT target

The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could
for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host.
Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination
address to our own host for packets that are forwarded, or something alike.
The REDIRECT target is extremely good to use when we want, for example, transparent proxying,
where the LAN hosts do not know about the proxy at all.

Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table.
It is also valid within user-defined chains that are only called from those chains, and nowhere else.
The REDIRECT target takes only one option, as described below.

Table 11-13. REDIRECT target options
Option: --to-ports
Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

Explanation:
The --to-ports option specifies the destination port, or port range, to use.
Without the --to-ports option, the destination port is never altered. This is specified, as above, --to-ports 8080
in case we only want to specify one port. If we would want to specify a port range, we would do it like
--to-ports 8080-8090, which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090.
Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher,
since it wouldn't make any sense anywhere else.

As you can see REDIRECT doesn't change the destination IP.

The best solution is to find how to enforce application to send packets to the LAN, instead of local server.

SuperJediWombat! · 07-10-2010, 04:12 AM

I tested the xinetd settings for you, this should work.

Code:

service postgresql
{
        socket_type             = stream
        wait                    = no
        user                    = root
        redirect                = 192.168.1.113 5432
        bind                    = 127.0.0.1
}

SuperJediWombat! · 07-10-2010, 04:30 AM

Quote:

Originally Posted by nimnull22

Code:

In other words, this rewrites the destination address to our own host for packets that are forwarded

As you can see REDIRECT doesn't change the destination IP.

We were talking about using iptables to *redirect* traffic, this would apply to either the DNAT target or the REDIRECT target. Your answer is not really helpful and worse, it will confuse people.

nickname.random · 07-11-2010, 01:43 PM

Quote:

Originally Posted by nimnull22

As you can see REDIRECT doesn't change the destination IP.

Yes, I already know that REDIRECT can't change the IP address but only the port.
I was trying to understand what's the technical and undocumented reason because it is not possible to do the same think for the loopback traffic.

Quote:

The best solution is to find how to enforce application to send packets to the LAN, instead of local server.

Of course, but if you can't modify the application, the only solution is a workaround with a third part application like:
ssh, netcat, socat
or as suggested by SuperJediWombat!, using xinetd.

nickname.random · 07-11-2010, 01:50 PM

Quote:

Originally Posted by SuperJediWombat!

I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.

That's a nice and elegant idea. Good job!

Quote:

Originally Posted by SuperJediWombat!

Code:

service postgresql
{
        socket_type             = stream
        wait                    = no
        user                    = root
        redirect                = 192.168.1.113 5432
        bind                    = 127.0.0.1
}

It should work very well. I'll try and I'll give you a feedback.

Thanks!

nickname.random · 07-11-2010, 05:32 PM

xnetd works like a charm!

Simply fantastic. Thanks SuperJediWombat!