Re: using PREROUTING to change destination

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/14/17 09:56, Ran Shalit wrote:

I understand from your reply that REDIRECT rule for the destination
port will change the destination port, so that the real
destination(="final destination") is in the packet header  (and there
is no memory for the original destination any where else).
REDIRECT is totally different from DNAT. Destination Network Address Translation sends the packet off to a different machine (well IP address, which could be another address on the current machine but that's _super_ _rare_) so one might DNAT some packets arriving on your firewall through to your Web Server, and others over to your XBox witch is clearly never the same machine as your firewall.
REDIRECT says "this service is here on the firewall, but at a different port than this packet thinks it would be. 

Here's a REDIRECT example.
I want to run a web server. I decide to run it on the firewall. I don't want the WebServer processes to be run as root because if someone breaks into the WebServer I don't want them to have any special root privileges. A process needs to be a root process to take over port eighty because its less than port 1024. 

So now what?
Well I create the web server user with no dangerous privilege and tell it to use an unprivileged port (typically 8080). 

Then...
iptables --table nat --append PREROUTING --protocol tcp --dport 80 --jump REDIRECT --to-port 8080
So the web server user can now open and close 8080 as needed with Just Plain User™ rights, and I don't have to tell the entire world to use 8080 instead of the default.
And again the connection tracking system is going to do all the translations automagically for the connections after you DNAT, SNAT, or REDIRECT the first packet. So if you do a "iptables --table nat --list --verbose" the packet count is more-or-less the 'new connections' or 'new flows' count for the rule. The connection tracker keeps the necessary records of what's been changed for what so that you don't have to think about that part of this at all (in most settings).
Again, saying/spelling the whole long-form arguments out is very helpful in picking all this skill set up more quickly. 

--Rob
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux