Hello
I have a machine which redirects all connections going out to any tcp 22
port to
localhost tcp port 12345.
My little daemon that listens on port 12345 gives me this info:
Connection accepted peer ip: 192.168.13.12, peer port: 49939, host ip:
192.168.13.12, host port:12345
cat /proc/net/conntrack
Shows the connection, and also does conntrack -L. However the same command
with -G
returns with an error:
root@test:~# conntrack -L -s 192.168.13.12 -q 192.168.13.12 -p tcp
--orig-port-src
49939 --reply-port-src 12345
tcp 6 431950 ESTABLISHED src=192.168.13.12 dst=217.20.131.2
sport=49939
dport=22 packets=2 bytes=112 src=127.0.0.1
dst=192.168.13.12 sport=12345 dport=49939 packets=1 bytes=60
[ASSURED]
mark=0 use=1
root@test:~# conntrack -G -s 192.168.13.12 -q 192.168.13.12 -p tcp
--orig-port-src
49939 --reply-port-src 12345
Operation failed: such conntrack doesn't exist
The redirection is done as:
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -A OUTPUT -p tcp --destination-port 22 -j REDIRECT
--to-ports 1234
I am using the latest ubuntu btw (upgraded fully), with versions:
conntrack 1.00~beta2-1
libnetfilter-conntrack-dev 0.0.81-1
libnetfilter-conntrack1 0.0.81-1
Basically I am clueless here as to why -L shows the connection and -G
doesn't. My
goal is to
transparently proxy outgoing connections through my program. Therefore I
need to detect
what its' original destination would be from the information seen by the
program on
12345.
My questions:
- Is that even possible? Please say yes :)
- Am I doing something wrong?
- Is it a bug?
I'm contacting you, since user "jengelh" on the #netfilter channel
(freenode) told
me that
this is probably a bug.
Thanks in advance:
Kalman Gergely
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
