iptables a host:port redirect

[Jaroslav Prodelal]

Dobry den,

   ma problem s presmerovani paketu pomoci iptables:

CLIENT -> REDIRECT_HOST -> DESTINATION

Na REDIRECT_HOST mam v iptables:

$IPTABLES -t nat -A PREROUTING -p tcp --dport 2233 -d $EXT_ADDR -j DNAT
--to 1.2.3.4:80
$IPTABLES -A FORWARD -p tcp -d 1.2.3.4 --dport 80 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT

CLIENT zadny firewall nema a DESTINATION ma samorejme port 80 pristupny.

Kdyz si dam ale na DESTINATION tcpdump:
18:43:40.150115 CLIENT.34305 > DESTINATION.www: S 92619236:92619236(0)
win 5840 <mss 1460,sackOK,timestamp 30068436 0,nop,wscale 2> (DF) [tos 0x10]

18:43:40.151129 DESTINATION.www > CLIENT.34305: S
2669933070:2669933070(0) ack 92619237 win 5792 <mss
1460,sackOK,timestamp 2841378128 30068436,nop,wscale 2> (DF)

18:43:40.167113 CLIENT.34305 > DESTINATION.www: R 92619237:92619237(0)
win 0 (DF)

a to se opakujes az do timeoutu.

   Ve vsech navodech jsem to nasel tak, ale me to nefunguje. Pakety jsem
zatim neanalyzoval.

Kdyz se odkazu na to presmerovani primo, tedy udelam komunikaci
CLIENT->DESTINATION.

18:44:11.288338 CLIENT.34306 > DESTINATION.www: S 125086755:125086755(0)
win 5840 <mss 1460,sackOK,timestamp 30099583 0,nop,wscale 2> (DF)

18:44:11.289337 DESTINATION.www > CLIENT.34306: S
2707016870:2707016870(0) ack 125086756 win 5792 <mss
1460,sackOK,timestamp 2841409269 30099583,nop,wscale 2> (DF)

18:44:11.304863 CLIENT.34306 > DESTINATION.www: . ack 1 win 1460
<nop,nop,timestamp 30099600 2841409269> (DF)
....

a je to bez problemu.

   Tim tcpdumpem jsem zachytaval jenom to, co slo NA nebo Z adresy
DESTINATION, tedy jsem se nezajimal o to, co litalo mezi
CLIENT->REDIRECT_HOST, ale vzhledem k tomu, ze prepisu prijemce, tak uz
spolu dal CLIENT a REDIRECT_HOST nekomunikuji (predpokladam, co se tyka
1 spojeni).

   Diky za vase napady.

--ogee