failure to apply snat mapping?
Hi, Let's say that I have an app that connects to IP address 1.2.3.4, and uses tproxy to fake the source address as 5.6.7.8. Bind the socket, then call into tproxy, and then connect() and ta da -- everything works as expected. Now I decide that that app should not connect to 1.2.3.4, but instead to 1.2.3.5. I don't want to modify the source and restart it, so I add a nat rule in the iptables nat/OUTPUT chain to DNAT the address to 1.2.3.5. The app now (unknowingly) connects to 1.2.3.5, that works fine. But.. the source address used for the connection is now the source address of the box and not anymore 5.6.7.8? :(( Is this a case of "Don't do that, then!!"? I'm using "tproxy-2.4.22-1.1.3.diff" patched into a Red Hat 2.4.20 kernel (2.4.20-20.9 to be exact) on a uniproc P4 2.4GHz, 1G RAM. cheers, Lennert
Hi, Hacked manual dnat support into the app and scheduled a time slot to restart it, so this question is not all that important to me anymore right now, but I'm still interested. cheers, Lennert On Wed, Apr 21, 2004 at 07:35:37PM +0200, Lennert Buytenhek wrote:
Hi,
Let's say that I have an app that connects to IP address 1.2.3.4, and uses tproxy to fake the source address as 5.6.7.8. Bind the socket, then call into tproxy, and then connect() and ta da -- everything works as expected.
Now I decide that that app should not connect to 1.2.3.4, but instead to 1.2.3.5. I don't want to modify the source and restart it, so I add a nat rule in the iptables nat/OUTPUT chain to DNAT the address to 1.2.3.5.
The app now (unknowingly) connects to 1.2.3.5, that works fine. But.. the source address used for the connection is now the source address of the box and not anymore 5.6.7.8? :((
Is this a case of "Don't do that, then!!"?
I'm using "tproxy-2.4.22-1.1.3.diff" patched into a Red Hat 2.4.20 kernel (2.4.20-20.9 to be exact) on a uniproc P4 2.4GHz, 1G RAM.
cheers, Lennert _______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
Hi, On Wed, 2004-04-21 at 19:35, Lennert Buytenhek wrote:
Let's say that I have an app that connects to IP address 1.2.3.4, and uses tproxy to fake the source address as 5.6.7.8. Bind the socket, then call into tproxy, and then connect() and ta da -- everything works as expected.
Now I decide that that app should not connect to 1.2.3.4, but instead to 1.2.3.5. I don't want to modify the source and restart it, so I add a nat rule in the iptables nat/OUTPUT chain to DNAT the address to 1.2.3.5.
The app now (unknowingly) connects to 1.2.3.5, that works fine. But.. the source address used for the connection is now the source address of the box and not anymore 5.6.7.8? :((
Do you have "NAT of local connections" enabled or disabled? -- Regards, Krisztian KOVACS
On Fri, Apr 23, 2004 at 11:59:43AM +0200, KOVACS Krisztian wrote:
Hi,
Hello,
Let's say that I have an app that connects to IP address 1.2.3.4, and uses tproxy to fake the source address as 5.6.7.8. Bind the socket, then call into tproxy, and then connect() and ta da -- everything works as expected.
Now I decide that that app should not connect to 1.2.3.4, but instead to 1.2.3.5. I don't want to modify the source and restart it, so I add a nat rule in the iptables nat/OUTPUT chain to DNAT the address to 1.2.3.5.
The app now (unknowingly) connects to 1.2.3.5, that works fine. But.. the source address used for the connection is now the source address of the box and not anymore 5.6.7.8? :((
Do you have "NAT of local connections" enabled or disabled?
[ ... ] CONFIG_IP_NF_TARGET_MIRROR=m CONFIG_IP_NF_NAT=m CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_NAT_SNMP_BASIC=m CONFIG_IP_NF_NAT_LOCAL=m <== enabled? CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_IP_NF_TARGET_ULOG=m [ ... ] --L
participants (2)
-
KOVACS Krisztian
-
Lennert Buytenhek