IPtables localhost redirect
in [Debian]
|
From: Daniele Orlando on 9 Jul 2010 00:00 Hello guys, on my Debian 5 I'm trying to redirect the TCP traffic generated by my machine towards 127.0.0.1:5432 (PostgreSQL) to the new destination 192.168.1.113:5432. I have tried with iptables many rules, but no one seams good for the task. Any idea? -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/AANLkTilPUtvPvdqiZJuOUKcpcXCIRFxNy4Oyak7oNCx4(a)mail.gmail.com
From: Boyd Stephen Smith Jr. on 9 Jul 2010 02:40 On Thursday 08 July 2010 22:54:50 Daniele Orlando wrote: > on my Debian 5 I'm trying to redirect > the TCP traffic generated by my machine > towards 127.0.0.1:5432 (PostgreSQL) > to the new destination 192.168.1.113:5432. > > I have tried with iptables many rules, but no one seams good for the task. > > Any idea? What have you tried? It seems like you'd need to change this in a PREROUTING chain, probably in the mangle table. Also, depending on the application it my be using the "unix socket" instead of TCP/IP to connect to PostgreSQL. In that case, iptables would not be involved. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss(a)iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
From: Daniele Orlando on 9 Jul 2010 11:10 On Fri, Jul 9, 2010 at 08:34, Boyd Stephen Smith Jr. <bss(a)iguanasuicide.net> wrote: > What have you tried? Â It seems like you'd need to change this in a PREROUTING > chain, probably in the mangle table. > > Also, depending on the application it my be using the "unix socket" instead of > TCP/IP to connect to PostgreSQL. Â In that case, iptables would not be > involved. I have tried any configuration of PREROUTING, POSTROUTING, OUTPUT over nat table. I have not tried the mangle table, but I know it is used to change the packet headers, and I think that is not our case. I have done many attempt with other protocols and tools (netcat is one of this), and the problem is note the unix socket because in every case I forced the use of the 127.0.0.1 host (especially with the the postgres client). The problem seams to reside in how netfilter process packets on the lo device and the localhost ip family. This is a related post in italian: http://lists.debian.org/debian-italian/2010/07/msg00148.html And this is the workaround we came: http://lists.debian.org/debian-italian/2010/07/msg00170.html -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/AANLkTimo4i13eThIVKNXDLJ9IhGgg3EYIRNoioIJs-ch(a)mail.gmail.com
From: Charles Kroeger on 9 Jul 2010 15:00 >Any idea? My idea would be for you to install a package called 'arno-iptables-firewall' Then join their list discussions, much good information proffered there to assist with this problem. firewall-request(a)rocky.eld.leidenuniv.nl?subject=subscribe -- CK -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100709143124.56212507(a)Mondo
From: Daniele Orlando on 9 Jul 2010 16:20
On Fri, Jul 9, 2010 at 19:09, Toan Pham <tpham3783(a)gmail.com> wrote: > Here's the trick, > > # Trick the kernel to route localhost ip (127.0.0.1) in prerouting > rule, and continue routing out through the valid network interface > (not the loopback interface). > ifconfig eth0:0 127.0.0.1 > > # Setup NAT Table to redirect traffic > iptables -t nat -A PREROUTING -p tcp --dport 5432 -j DNAT --to > 192.168.1.113:5432 > > > I haven't tried it yet, let me know if it works. Thanks, but it doesn't work. Someone said me on a forum: """ You cannot redirect loopback traffic with iptables. """ I'm investigating this statement. reference: http://www.linuxquestions.org/questions/showthread.php?p=4027927 -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/AANLkTikt33Y5uoXl_VYMXzpoDkLe1in_iWDODOSAlbwF(a)mail.gmail.com |