david NEW <david@xxxxxxxxx> wrote:
> I did run "tcpdump port 80" where I saw incoming packet. Then repeated
> process but watching port 8080 this time but no packets have been captured.
> I assumed it never went through.
>
> I have never worked with tcpdump before so there may be some mistakes on my
> side.
>
> I do not know what is "reverse xlate rule" - can you show me how would you
> write this rule, please?
It won't work for your use case.
> I do not care how it is written as long as netfilter rule checks source
> address (from set) that asks for connection to port 80, 443...and redirects
> it to IP:8080 where web server error page awaits.
Use nat + redirect.
Stateless nat only works for simple use cases, like this for instance:
table inet crap {
chain prerouting {
type filter hook prerouting priority -500; policy accept;
ip saddr 192.168.7.10 tcp dport { 80, 443 } ip daddr set 192.168.0.7 tcp dport set 8080 notrack
}
chain output {
type route hook output priority -500; policy accept;
tcp sport 8080 tcp sport set 80 ip saddr set 192.168.7.1
}
}
This works, client connects to 192.168.7.1 80, but really talks to 192.168.0.7:8080.
The output rule is needed to reverse translate 192.168.0.7 to 192.168.7.1 and 8080 to 80.
Without it, you get
192.168.7.10.39472 > 192.168.7.1.80: Flags [S], seq 16468682, win 64..
192.168.0.7.8080 > 192.168.7.10.39472: Flags [S.], seq 47272, ack 16468683, win 65 ..
192.168.7.10.39472 > 192.168.0.7.8080: Flags [R], seq 16468683
In your case, you don't have the original address anymore so you can't create the reverse rule.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip saddr @bad tcp dport { 80, 443 } redirect to :8080
}
}
will work because conntrack/nat handles the reverse translation.
