Hello,
M. V. a écrit :
>
> I'm porting one of my FreeBSD programs into Debian. I wanted to
> know if I can have an iptables rule (or use any other service) which
> work exactly similar to "ipfw forward" command in FreeBSD.
> "ipfw forward" just changes dst-port of the packet, and other
> parameters like "src-ip", "src-port" and "dst-ip" of the packet stay the
> same. for example, if I define this rule:
> ipfw add 100 fwd 127.0.0.1,1234 tcp from any to any dst-port 80 in
What does the loopback address 127.0.0.1 represent here ?
> now if I have a tcp-server listing to port-1234, I can discover
> original ip/port of both source and destination of any http request
> which passes through my box and generate a valid response to it (just
> dst-port is changed to 1234, which I now it was originally 80).
> but in linux with iptables, it seems I just have iptables nat rules,
> which changes "dst-ip" of the packet as well:
> iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1234
> this iptables rule changes "dst-ip" of the packet as well as
> "dst-port" which is not good for me.
Indeed REDIRECT changes the destination address to the primary address
of the incoming interface. However the original destination address can
be retrieved through the connection tracking table. This is how
transparent proxies such as squid cache traditionnally work.
You can use "-j DNAT --to :1234" instead to change only the port.
However, if the destination address is not a local address and you don't
change it to a local (but not loopback) address, then the packet will be
forwarded to the original destination host as only the destination port
was altered.
Maybe what you need is TPROXY.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/53AE74CD.8030100@plouf.fr.eu.org
No comments:
Post a Comment