LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-22-2006, 02:49 AM   #1
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Rep: Reputation: 0
Iptables portforwarding with dns


When I create a rule with iptables, the --destination option allways resolves the domain name to an ip address. This is a hassle because I am trying to do port forwarding based on the domain name it is connecting to. E.g if someone connects to a.bob.com:80 , it will direct it to 10.1.1.2:80, and b.bob.com, it will connect to 10.1.13:80. Two different internal machines, one external address and the same port.

the command I use the set the rule is iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 90 -d a.bob.com -j DNAT --to-destination 192.168.1.*:80

The command I see in iptables-save is
-A PREROUTING -d 192.168.1.1 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.*:80
where 192.168.1.1 is the internal address of a.bob.com.
 
Old 06-22-2006, 12:09 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
welcome to LQ!!!

Quote:
Originally Posted by IHIHUG
When I create a rule with iptables, the --destination option allways resolves the domain name to an ip address. This is a hassle because I am trying to do port forwarding based on the domain name it is connecting to. E.g if someone connects to a.bob.com:80 , it will direct it to 10.1.1.2:80, and b.bob.com, it will connect to 10.1.13:80. Two different internal machines, one external address and the same port.

the command I use the set the rule is iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 90 -d a.bob.com -j DNAT --to-destination 192.168.1.*:80

The command I see in iptables-save is
-A PREROUTING -d 192.168.1.1 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.*:80
where 192.168.1.1 is the internal address of a.bob.com.
the domain name's IP will be resolved, as iptables needs the IP to work with...

being that this is the security forum, i'd like to remind you that using an iptables rule with a domain name which needs to resolve remotely is a very bad idea...

BTW, why can't you use the IPs to do the forwarding??

Last edited by win32sux; 06-22-2006 at 12:11 PM.
 
Old 06-22-2006, 08:01 PM   #3
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
Quote:
BTW, why can't you use the IPs to do the forwarding??
I would imagine that he is trying to forward to machines which do not have public IP addresses, and trying to use the host name he has assigned them to acomplish this.

How would one go about forwarding inbound connections to a private IP? I would also benefit from this information.

thanks!
...aaron
 
Old 06-22-2006, 09:10 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by drkstr
How would one go about forwarding inbound connections to a private IP? I would also benefit from this information.
well, let's say you would like all HTTP (TCP port 80) connections that hit your WAN side forwarded to internal/private IP 192.168.1.11 on your LAN side... the main rule would look like this:
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.1.11
of course this needs to be taken in the context of your general setup, which would look kinda like this:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
-d 192.168.1.11 --dport 80 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.1.11
that's basically it... of course, sometimes you want to forward to a different port than the one the inbound connection uses... let's say the HTTP server on our LAN is actually listening on port 3333... then the rules would look like this:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE \
-d 192.168.1.11 --dport 3333 -m state --state NEW -j ACCEPT

iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 80 \
-j DNAT --to-destination 192.168.1.11:3333
i hope this is what you were asking about...

sorry if i misunderstood your question...
 
Old 06-22-2006, 09:16 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by drkstr
I would imagine that he is trying to forward to machines which do not have public IP addresses, and trying to use the host name he has assigned them to acomplish this.
i agree, but forwarding works with both private and public IPs... i honestly don't fully understand his situation - i'm hoping he'll post again to clarify things a bit...
 
Old 06-22-2006, 11:05 PM   #6
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Hi, sorry about the delayed post.

You would be correct that the two machines do not have public Ip addresses.
I am trying to set it up so that when someone visits a.b.com, they get directed to 192.168.1.6 (internal address), and on the same external address, some one who visits b.b.com, they get directed to 192.168.1.4. When I set the -d option, it resolves the domain to the internal ip address. At the moment, with my current rules, what ever rule is at the top with the port I want, it directs it to that destination address. e.g

-A PREROUTING -d 192.168.1.13 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.14:80
-A PREROUTING -d 192.168.1.14 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.11:80

192.168.1.13 being a.b.com and 192.168.1.14 being b.b.com. So, (at the moment) when someone connects to b.b.com, they get 192.168.1.13 - a.b.com. Something that I am trying to get corrected.

Thanks, IHIHUG
 
Old 06-23-2006, 12:41 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by IHIHUG
Hi, sorry about the delayed post.

You would be correct that the two machines do not have public Ip addresses.
I am trying to set it up so that when someone visits a.b.com, they get directed to 192.168.1.6 (internal address), and on the same external address, some one who visits b.b.com, they get directed to 192.168.1.4. When I set the -d option, it resolves the domain to the internal ip address. At the moment, with my current rules, what ever rule is at the top with the port I want, it directs it to that destination address. e.g

-A PREROUTING -d 192.168.1.13 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.14:80
-A PREROUTING -d 192.168.1.14 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 192.168.1.11:80

192.168.1.13 being a.b.com and 192.168.1.14 being b.b.com. So, (at the moment) when someone connects to b.b.com, they get 192.168.1.13 - a.b.com. Something that I am trying to get corrected.

Thanks, IHIHUG
what you are describing sounds in some ways more like what a DNS daemon does than what a router does... if you put those subdomains in the /etc/hosts file of either the LAN's DNS daemon, or the clients themselves (if you don't have a DNS daemon), then you wouldn't even need PREROUTING at all (unless you need to forward ports)...
Code:
a.b.com   192.168.1.13
b.b.com   192.168.1.14
- the client enters "a.b.com" in their application...
- the application asks the OS to query the DNS server...
- the DNS server resolves "a.b.com" to 192.168.1.13...
- the client connects to 192.168.1.13...

- the client enters "b.b.com" in their application...
- the application asks the OS to query the DNS server...
- the DNS server resolves "b.b.com" to 192.168.1.14...
- the client connects to 192.168.1.14...

when you have that done, then port-forwarding between the subnets should be relatively simple, by using only IPs, sorta like:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 -d 192.168.1.13 \
--dport 900 -j DNAT --to-destination 192.168.200.213:80

iptables -t nat -A PREROUTING -p TCP -i eth0 -d 192.168.1.14 \
--dport 900 -j DNAT --to-destination 192.168.200.214:80

Last edited by win32sux; 06-23-2006 at 01:03 PM.
 
Old 06-23-2006, 02:48 PM   #8
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Original Poster
Rep: Reputation: 0
The problem is that the clients are on the internet - not on the local network. So their dns is resolved to 203.173.*.* for both a.b.com and b.b.com. As both the domains point to 203.173.*.*, both their destination addresses will be the same, note why I want to beable to use domain names instead of Ip Addresses.
 
Old 06-23-2006, 02:54 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by IHIHUG
The problem is that the clients are on the internet - not on the local network. So their dns is resolved to 203.173.*.* for both a.b.com and b.b.com. As both the domains point to 203.173.*.*, both their destination addresses will be the same, note why I want to beable to use domain names instead of Ip Addresses.
are the HTTP daemons for each site listening on different ports on the same IP??

also, when you ping *.b.com from the router, does it ping 203.173.*.* or an internal IP??

Last edited by win32sux; 06-23-2006 at 03:14 PM.
 
Old 06-23-2006, 04:00 PM   #10
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by win32sux
are the HTTP daemons for each site listening on different ports on the same IP??

also, when you ping *.b.com from the router, does it ping 203.173.*.* or an internal IP??
Yes, the daemons are listening on the same ports on the same ip. (Same external address,different internal.)
On my router, when I ping *.b.com, it gives me the internal ip, As I have a dns server on the network.
 
Old 06-23-2006, 04:10 PM   #11
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
When a host on the internet tries to visit either site, it will be resolved by the nameserver that they use. It is the IP address and port number that they connect to your site with. The DNS name in the iptables command is resolved by you to get the equivalent IP address. This information isn't being supplied by someone visiting your site.
 
Old 06-23-2006, 04:17 PM   #12
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by jschiwal
When a host on the internet tries to visit either site, it will be resolved by the nameserver that they use. It is the IP address and port number that they connect to your site with. The DNS name in the iptables command is resolved by you to get the equivalent IP address. This information isn't being supplied by someone visiting your site.
Ok, so it isnt possible to do what I want to do with Iptables because of how ipv4 works.

Thanks, IHIHUG
 
Old 06-23-2006, 04:17 PM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
yeah, i believe that if you are using apache virtual hosts (on the same IP) for this, then the way apache knows which website the client is asking for is by looking at the "Host" HTTP header which the client's browser sends... so i think if you want iptables to be able to distinguish between a.b.com and a.a.com when they are both on the same IP, you'd need to have a match module that could understand Host headers - something i kinda doubt exists...

Last edited by win32sux; 06-23-2006 at 04:26 PM.
 
Old 06-23-2006, 04:29 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
i have a feeling you could do it with Squid, though...

in fact, i think Squid might be the *best* way to achieve your goal, as Squid is designed especially for this type of functionality...

Last edited by win32sux; 06-23-2006 at 04:41 PM.
 
Old 06-23-2006, 04:41 PM   #15
IHIHUG
LQ Newbie
 
Registered: Jun 2006
Posts: 6

Original Poster
Rep: Reputation: 0
Yeah, you can do it with squid and squidGuard. I was hoping to do it with iptables, so I could do the same with other services.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
portforwarding joel b Linux - Newbie 3 05-11-2005 04:01 PM
Very Stupid Question about Iptables & Portforwarding kemplej Linux - Networking 20 07-27-2004 02:37 PM
IPTABLES and PortForwarding ComFox Linux - Networking 1 09-09-2002 04:37 PM
iptables and portforwarding gseven1 Linux - Networking 1 02-22-2002 10:20 AM
Portforwarding with Iptables toxic Linux - Security 2 02-14-2002 11:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:58 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration