You are not logged in.

#1 2022-08-17 20:31:48

Lord Bo
Member
Registered: 2012-11-11
Posts: 168

[SOLVED] Forward one ip + port to another ip + port

I have a script which wants to clone / download from a git repository by issuing a command like git clone http://192.168.2.1/some/repo however there is no machine with the ip 192.168.2.1 in any connected networks, instead the script would work if it would just git clone http://192.168.1.1:1234/some/repo. So as far as I understand it, I would need to redirect all outgoing traffic to 192.168.2.1:80 to 192.168.1.1:1234 and vice versa for incoming traffic. (It is actuall not only one script, but also recursively downloaded scripts, such that editing them would be a very inconvenient option.)

Unfortunatly I am really a networking noob. I figured, that I would probably need iptables for that and tried to read the wiki page or some examples from the internet. But so far I failed and my head is smoking and I'm honestly relieved, that I didn't break anything badly so far wink.

Here is one of the many things I tried and I'm honestly ashamed of it. Probably I'm headed completely in the wrong direction:

# reroute traffic from192.168.2.1:80 to 192.168.1.1:1234 and vice versa; this command doesn't even work
iptables -t nat -A PREROUTING -p tcp -d 192.168.2.1 –dport 80 -j DNAT –-to-destination 192.168.1.2 --to-port 12345
# somehow this is supposed to rename ip and port in the ip header
iptables -t nat -A POSTROUTING -p tcp -d 192.168.2.246 –dport 80 -j MASQUERADE

Also do I have to execute

iptables-save -f /etc/iptables/iptables.rules

after each of those commands to make them come into effect? Or does that command only make my changes persistent?

I hope there is someone who can help me an put me out of my misery.

Last edited by Lord Bo (2022-08-18 19:39:07)

Offline

#2 2022-08-17 21:07:28

seth
Member
Registered: 2012-09-03
Posts: 56,197

Re: [SOLVED] Forward one ip + port to another ip + port

such that editing them would be a very inconvenient option

https://man.archlinux.org/man/core/sed/sed.1.en

https://serverfault.com/questions/58648 … me-network - there's also an explanation why you're missing SNAT
On top of that, there's some sort of em dash in your calls.

make them come into effect? Or does that command only make my changes persistent?

Neither. It'll store the config in a file where you can restore it from later (eg. during the boot)
iptables operates on the kernel, so after a bunch of happy tries, it's now probaly full of cruft.
You want to inspectt and probably reset it, https://wiki.archlinux.org/title/Iptabl … rent_rules

Offline

#3 2022-08-18 03:47:46

Lord Bo
Member
Registered: 2012-11-11
Posts: 168

Re: [SOLVED] Forward one ip + port to another ip + port

Thank You for your answer!

So here is how I understand it after having read the post from serverfault and also having read about SNAT and DNAT:

First I need to use SNAT to forward packages sent to 192.168.2.1 with port 80 to 192.168.1.1:1234
Or to explain it better: Before the actual routing occeurs, iptables will
replace the not existing destination address (192.168.2.1:80) of my package
with an actual existing address (192.168.1.1:1234), which can be routed:

iptables -t nat -A PREROUTING -d 192.168.2.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:1234

Was that explained correctly? I'm not sure, if my logic makes sense.

I'm not sure how I have to explain the other needed route though:

iptables -t nat -A POSTROUTING -d 192.168.1.1 -p tcp --dport 1234 -j SNAT --to-source 192.168.2.1:80

Probably the the source ip and port must be changed after routing, such that
the right client can be addressed by the operating system?

But what I think how it works is unfortunately just wrong. It doesn't work and I just don't understand it ):.

I also tried:

iptables -t nat -A PREROUTING -d 192.168.1.1 -p tcp --dport 1234 -j DNAT --to-destination 192.168.2.1:80
iptables -t nat -A POSTROUTING -d 192.168.2.1 -p tcp --dport 80 -j SNAT --to-source 192.168.1.1:1234

Doesn't work either. I read a bit about SNAT and DNAT, but I can't seem to get the right understanding.
Any chance You could help me again, maybe enlighten me?

Yes, I know I could probably do it with sed or a similar processor. However it
would really be an inconvenient solution, since I don't always know when the
scripts are recursively downloaded and where they are put.
edit: Also I don't like to surrender to my dump brain wink .

Last edited by Lord Bo (2022-08-18 03:58:15)

Offline

#4 2022-08-18 06:28:29

-thc
Member
Registered: 2017-03-15
Posts: 580

Re: [SOLVED] Forward one ip + port to another ip + port

The PREROUTING chain is only relevant for incoming packets. Assuming your host has a valid IP address in the 192.168.1.x subnet mangling incoming packets should not be necessary.

Outgoing packets traverse the POSTROUTING chain but the target DNAT is invalid there.

Try only one rule instead:

iptables -t nat -A OUTPUT -d 192.168.2.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:1234

Offline

#5 2022-08-18 08:05:15

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 254

Re: [SOLVED] Forward one ip + port to another ip + port

As @-thc answered, DNAT in OUTPUT chain should work on TCP layer. But you are using HTTP on top. Are you sure HTTP server on 192.168.1.1 will accept request with "Host: 192.168.2.1" in header?

Offline

#6 2022-08-18 19:38:23

Lord Bo
Member
Registered: 2012-11-11
Posts: 168

Re: [SOLVED] Forward one ip + port to another ip + port

@-thc Great, it actually works. Thank You big_smile big_smile big_smile!

So OUTPUT means, the package is just leaving the firewall and in this case is just forwarded to 192.168.1.1.1234 without changing the Header, which of course normally just contains the valid IP of the host to which any responses are then returned from 192.168.1.1:1234. How hoever does the Host System know to which socket it must pass the package from 192.168.1.1:1234, it normally would only expect packages from 192.168.2.1, doesn't it?

@dimich Thanks for your consideration! As the forwarding of @-thc works and it doesn't change the header in http (and it never would, as far as I understand it, because iptables works on the layer below), it probably does. Thanks for reminding me about layers. It's really been some time tongue. Offtopic: Whish the best for You and your family in these troubeled times!

Last edited by Lord Bo (2022-08-18 19:41:50)

Offline

#7 2022-08-19 06:06:53

-thc
Member
Registered: 2017-03-15
Posts: 580

Re: [SOLVED] Forward one ip + port to another ip + port

Lord Bo wrote:

So OUTPUT means, the package is just leaving the firewall and in this case is just forwarded to 192.168.1.1.1234 without changing the Header, which of course normally just contains the valid IP of the host to which any responses are then returned from 192.168.1.1:1234. How hoever does the Host System know to which socket it must pass the package from 192.168.1.1:1234, it normally would only expect packages from 192.168.2.1, doesn't it?

Each time a NAT table rule is matched, the kernel rewrites the packets destination address/port and creates a connection tracking table entry (with the local source port) for this connection. The return packets match the entry (local port) and will be implicitly rewritten again with the old destination address as its source. The application communicates exclusively with 192.168.2.1 in both directions.

Offline

#8 2022-08-19 06:41:04

dimich
Member
From: Kharkiv, Ukraine
Registered: 2009-11-03
Posts: 254

Re: [SOLVED] Forward one ip + port to another ip + port

Lord Bo wrote:

How hoever does the Host System know to which socket it must pass the package from 192.168.1.1:1234, it normally would only expect packages from 192.168.2.1, doesn't it?

When DNAT translates destination to 192.168.1.1:1234 it stores original source/destination pair to connection tracking table. You can see whole table in /proc/net/nf_conntrack and only NATed connections with `netstat-nat -n`. When reply received, it performs reverse translation. Here:

Usually the link doing NAT will
  remember how it mangled a packet, and when a reply packet passes
  through the other way, it will do the reverse mangling on that reply
  packet, so everything works.

Lord Bo wrote:

Offtopic: Whish the best for You and your family in these troubeled times!

Thank you!

Offline

#9 2022-08-19 09:40:36

Lord Bo
Member
Registered: 2012-11-11
Posts: 168

Re: [SOLVED] Forward one ip + port to another ip + port

Thank You for your help, all of You. That was enlightening  big_smile!

Offline

Board footer

Powered by FluxBB