Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-08-2010, 11:12 PM
|
#1
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Rep: 
|
IPtables redirect 127.0.0.1 to 192.168.1.113
Hi to the forums wizards!
On my Debian 5 system, I'm trying to redirect the TCP traffic directed towards the 127.0.0.1:5432 address (local PostgreSQL daemon) to the 192.168.1.113:5432 (LAN PostgreSQL server).
Any idea on how to achieve this result with iptables?
|
|
|
|
|
07-09-2010, 02:20 AM
|
#2
|
|
LQ Newbie
Registered: Jul 2010
Posts: 4
Rep:
|
I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432
Try it and see how you go.
/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113
|
|
|
|
|
07-09-2010, 03:19 AM
|
#3
|
|
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep: 
|
You cannot redirect loopback traffic with iptables.
|
|
|
1 members found this post helpful.
|
|
07-09-2010, 10:13 AM
|
#4
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Original Poster
Rep:
|
Quote:
Originally Posted by 2HeartLinuxIs2BGeek
I *THINK* this is what you are looking for - unfortunately I am unable to test the below but -i specifies what interface is being matched for the rule... so any connections on the lo interface that are tcp and destined for port 5432 will be nat'd to 192.168.1.113 port 5432
Try it and see how you go.
/sbin/iptables -t nat -I PREROUTING -i lo -p tcp --dport 5432 -j DNAT --to-destination 192.168.1.113
|
Thanks for the answer, but I already have tried that solution and it doesn't work.
The problem is on the localhost traffic. |
|
|
|
|
07-09-2010, 10:30 AM
|
#5
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Original Poster
Rep:
|
Quote:
Originally Posted by SuperJediWombat!
You cannot redirect loopback traffic with iptables.
|
This is the answer I came after a day of testing and ircing on the #Netfilter and #debian channel.
These are the workarounds I came:
Code:
ssh localhost -L ${local_port}:${remote_host}:${remote_port}
# or
ssh ${user}@${remote_host} -L ${local_port}:localhost:${remote_port}
# or
ssh localhost -L ${local_port}:${remote_host}:${remote_port} sleep 10;
${local_command_using_tunnel}
# or
socat TCP4-LISTEN:${local_port} TCP4:${remote_host}:${remote_port}
Everyone has a workaround, but no one is able to explain me why it is not possible with iptables to redirect the localhost traffic.
For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?
references:
http://lists.debian.org/debian-user/.../msg00542.html
http://lists.debian.org/debian-itali.../msg00148.html
http://lists.debian.org/debian-itali.../msg00170.html |
|
|
|
|
07-10-2010, 02:28 AM
|
#6
|
|
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
|
Quote:
Originally Posted by SuperJediWombat!
The PREROUTING chain is only for traffic coming into the netfilter system.
Localy generated traffic goes to OUTPUT rather than PREROUTING.
However, loopback traffic (127.0.0.0/8) skips both chains...
In short, you can not DNAT loopback traffic.
|
http://www.linuxquestions.org/questi...arding-812313/ |
|
|
|
|
07-10-2010, 02:58 AM
|
#7
|
|
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
|
I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.
|
|
|
1 members found this post helpful.
|
|
07-10-2010, 03:24 AM
|
#8
|
|
Senior Member
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571
Rep:
|
Quote:
Originally Posted by nickname.random
For example, -j REDIRECT works redirecting the port for the local traffic; why it is not possible with iptables to redirect the localhost traffic?
|
Code:
REDIRECT target
The REDIRECT target is used to redirect packets and streams to the machine itself. This means that we could
for example REDIRECT all packets destined for the HTTP ports to an HTTP proxy like squid, on our own host.
Locally generated packets are mapped to the 127.0.0.1 address. In other words, this rewrites the destination
address to our own host for packets that are forwarded, or something alike.
The REDIRECT target is extremely good to use when we want, for example, transparent proxying,
where the LAN hosts do not know about the proxy at all.
Note that the REDIRECT target is only valid within the PREROUTING and OUTPUT chains of the nat table.
It is also valid within user-defined chains that are only called from those chains, and nowhere else.
The REDIRECT target takes only one option, as described below.
Table 11-13. REDIRECT target options
Option: --to-ports
Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Explanation:
The --to-ports option specifies the destination port, or port range, to use.
Without the --to-ports option, the destination port is never altered. This is specified, as above, --to-ports 8080
in case we only want to specify one port. If we would want to specify a port range, we would do it like
--to-ports 8080-8090, which tells the REDIRECT target to redirect the packets to the ports 8080 through 8090.
Note that this option is only available in rules specifying the TCP or UDP protocol with the --protocol matcher,
since it wouldn't make any sense anywhere else.
As you can see REDIRECT doesn't change the destination IP.
The best solution is to find how to enforce application to send packets to the LAN, instead of local server. |
|
|
0 members found this post helpful.
|
|
07-10-2010, 04:12 AM
|
#9
|
|
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
|
I tested the xinetd settings for you, this should work.
Code:
service postgresql
{
socket_type = stream
wait = no
user = root
redirect = 192.168.1.113 5432
bind = 127.0.0.1
}
Last edited by SuperJediWombat!; 07-10-2010 at 04:30 AM.
|
|
|
1 members found this post helpful.
|
|
07-10-2010, 04:30 AM
|
#10
|
|
Member
Registered: Apr 2009
Location: Perth, Australia
Distribution: Ubuntu/CentOS
Posts: 208
Rep:
|
Quote:
Originally Posted by nimnull22
Code:
In other words, this rewrites the destination address to our own host for packets that are forwarded
As you can see REDIRECT doesn't change the destination IP. |
We were talking about using iptables to *redirect* traffic, this would apply to either the DNAT target or the REDIRECT target. Your answer is not really helpful and worse, it will confuse people. |
|
|
|
|
07-11-2010, 01:43 PM
|
#11
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Original Poster
Rep:
|
Quote:
Originally Posted by nimnull22
As you can see REDIRECT doesn't change the destination IP.
|
Yes, I already know that REDIRECT can't change the IP address but only the port.
I was trying to understand what's the technical and undocumented reason because it is not possible to do the same think for the loopback traffic.
Quote:
|
The best solution is to find how to enforce application to send packets to the LAN, instead of local server.
|
Of course, but if you can't modify the application, the only solution is a workaround with a third part application like:
ssh, netcat, socat
or as suggested by SuperJediWombat!, using xinetd. |
|
|
|
|
07-11-2010, 01:50 PM
|
#12
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Original Poster
Rep:
|
Quote:
Originally Posted by SuperJediWombat!
I was thinking about your problem, permanent solution would be to use xinetd and the redirect option.
|
That's a nice and elegant idea. Good job!
Quote:
Originally Posted by SuperJediWombat!
Code:
service postgresql
{
socket_type = stream
wait = no
user = root
redirect = 192.168.1.113 5432
bind = 127.0.0.1
}
|
It should work very well. I'll try and I'll give you a feedback.
Thanks! |
|
|
|
|
07-11-2010, 05:32 PM
|
#13
|
|
LQ Newbie
Registered: Jul 2010
Posts: 7
Original Poster
Rep:
|
xnetd works like a charm! 
Simply fantastic. Thanks SuperJediWombat! |
|
|
|
All times are GMT -5. The time now is 10:59 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
