LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-09-2010, 12:12 AM   #1
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Rep: Reputation: 0
IPtables redirect 127.0.0.1 to 192.168.1.113


Hi to the forums wizards!

On my Debian 5 system, I'm trying to redirect the TCP traffic directed towards the 127.0.0.1:5432 address (local PostgreSQL daemon) to the 192.168.1.113:5432 (LAN PostgreSQL server).

Any idea on how to achieve this result with iptables?
 
Old 07-09-2010, 03:20 AM   #2
2HeartLinuxIs2BGeek
LQ Newbie
 
Registered: Jul 2010
Posts: 4

Rep: Reputation: 0
I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432

Try it and see how you go.

/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113
 
Old 07-09-2010, 04:19 AM   #3
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 51
You cannot redirect loopback traffic with iptables.
 
1 members found this post helpful.
Old 07-09-2010, 11:13 AM   #4
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by 2HeartLinuxIs2BGeek View Post
I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432

Try it and see how you go.

/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113
Thanks for the answer, but I already have tried that solution and it doesn't work.

The problem is on the localhost traffic.
 
Old 07-09-2010, 11:30 AM   #5
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by SuperJediWombat! View Post
You cannot redirect loopback traffic with iptables.
This is the answer I came after a day of testing and ircing on the #Netfilter and #debian channel.

These are the workarounds I came:
Code:
ssh localhost -L ${local_port}:${remote_host}:${remote_port}
# or
ssh ${user}@${remote_host} -L ${local_port}:localhost:${remote_port}
# or
ssh localhost -L ${local_port}:${remote_host}:${remote_port} sleep 10; 
${local_command_using_tunnel}
# or
socat TCP4-LISTEN:${local_port} TCP4:${remote_host}:${remote_port}
Everyone has a workaround, but no one is able to explain me why it is not possible with iptables to redirect the localhost traffic.

For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?

references:
http://lists.debian.org/debian-user/.../msg00542.html
http://lists.debian.org/debian-itali.../msg00148.html
http://lists.debian.org/debian-itali.../msg00170.html
 
Old 07-10-2010, 03:28 AM   #6
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 51
Quote:
Originally Posted by SuperJediWombat! View Post
The PREROUTING chain is only for traffic coming into the netfilter system.
Localy generated traffic goes to OUTPUT rather than PREROUTING.

However, loopback traffic (127.0.0.0/8) skips both chains...

In short, you can not DNAT loopback traffic.
http://www.linuxquestions.org/questi...arding-812313/
 
Old 07-10-2010, 03:58 AM   #7
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 51
I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.
 
1 members found this post helpful.
Old 07-10-2010, 04:24 AM   #8
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by nickname.random View Post

For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?
Code:
REDIRECT target

The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could
for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host.
Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination
address to our own host for packets that are forwarded, or something alike.
The REDIRECT target is extremely good to use when we want, for example, transparent proxying,
where the LAN hosts do not know about the proxy at all. 

Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table.
It is also valid within user-defined chains that are only called from those chains, and nowhere else.
The REDIRECT target takes only one option, as described below. 

Table 11-13. REDIRECT target options
Option:	  --to-ports
Example:  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080

Explanation:	
The --to-ports option specifies the destination port, or port range, to use.
Without the --to-ports option, the destination port is never altered. This is specified, as above, --to-ports 8080
in case we only want to specify one port. If we would want to specify a port range, we would do it like
--to-ports 8080-8090, which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090.
Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher,
since it wouldn't make any sense anywhere else.
As you can see REDIRECT doesn't change the destination IP.

The best solution is to find how to enforce application to send packets to the LAN, instead of local server.
 
0 members found this post helpful.
Old 07-10-2010, 05:12 AM   #9
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 51
I tested the xinetd settings for you, this should work.
Code:
service postgresql
{
        socket_type             = stream
        wait                    = no
        user                    = root
        redirect                = 192.168.1.113 5432
        bind                    = 127.0.0.1
}

Last edited by SuperJediWombat!; 07-10-2010 at 05:30 AM.
 
1 members found this post helpful.
Old 07-10-2010, 05:30 AM   #10
SuperJediWombat!
Member
 
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208

Rep: Reputation: 51
Quote:
Originally Posted by nimnull22 View Post
Code:
In other words, this rewrites the destination address to our own host for packets that are forwarded
As you can see REDIRECT doesn't change the destination IP.
We were talking about using iptables to *redirect* traffic, this would apply to either the DNAT target or the REDIRECT target. Your answer is not really helpful and worse, it will confuse people.
 
Old 07-11-2010, 02:43 PM   #11
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by nimnull22 View Post
As you can see REDIRECT doesn't change the destination IP.
Yes, I already know that REDIRECT can't change the IP address but only the port.
I was trying to understand what's the technical and undocumented reason because it is not possible to do the same think for the loopback traffic.

Quote:
The best solution is to find how to enforce application to send packets to the LAN, instead of local server.
Of course, but if you can't modify the application, the only solution is a workaround with a third part application like:
ssh, netcat, socat
or as suggested by SuperJediWombat!, using xinetd.
 
Old 07-11-2010, 02:50 PM   #12
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by SuperJediWombat! View Post
I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.
That's a nice and elegant idea. Good job!

Quote:
Originally Posted by SuperJediWombat! View Post
Code:
service postgresql
{
        socket_type             = stream
        wait                    = no
        user                    = root
        redirect                = 192.168.1.113 5432
        bind                    = 127.0.0.1
}
It should work very well. I'll try and I'll give you a feedback.

Thanks!
 
Old 07-11-2010, 06:32 PM   #13
nickname.random
LQ Newbie
 
Registered: Jul 2010
Posts: 7

Original Poster
Rep: Reputation: 0
xnetd works like a charm!

Simply fantastic. Thanks SuperJediWombat!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[root@wlxxb ~]# telnet 192.168.192.12 25 Trying 192.168.192.12... telnet problem cnhawk386 Linux - Networking 1 10-10-2007 03:50 PM
What route to access daisy chained 2d router 192.168.1.1 after 192.168.0.1 (subnets?) Emmanuel_uk Linux - Networking 6 05-05-2006 02:47 AM
Is someone on my network?! ::ffff:192.168.0.10:ssh ::ffff:192.168.0.:38201 ESTABLISHE ming0 Linux - Security 4 04-12-2005 02:04 AM
Iptables is converting -s 192.168.1.0/8 into 192.0.0.0/8 why !? qwijibow Linux - Security 2 01-26-2005 10:57 AM
wine uses lo instead of eth0 (127.0.0.1 instead of 192.168.x.x) lostlyre Linux - Networking 1 04-02-2004 04:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration