redirect not working right on SuSE?

On my Redhat 9 system, if I do this (lines wrapped to fit):

iptables -t nat -A PREROUTING -p tcp --sport 0:65535 --dport 81 -j
REDIRECT --to-port 80
iptables -t nat -A OUTPUT -p tcp --sport 0:65535 --dport 81 -j
REDIRECT --to-port 80

and then do this:

telnet 1.2.3.4 81

I end up connected to the web server on localhost, just like I'd expect.

However, on SuSE 9.1 and SuSE 9.2, it accepts the iptables commands just
fine, and things look fine when I list things with "iptables -t nat -vL".

However, "telnet 1.2.3.4 81" tries to actually connect to 1.2.3.4, port
81. The iptables stuff has no effect whatsoever, as far as I can see.

If, however, from a second machine, I try to connect to port 81 on the
first machine, then it does end up at the first machine's web server.

So, it looks like the rules are only applying to packets from outside,
not from packet originating on the first machine.

(All other chains in all other tables are empty, and all the other
tables have default policy of accept).

SuSE does have a later version of iptables.

Which is the correct behavior? The one that is on the older Redhat
system, or the one on the SuSE system?

If SuSE is correct, then what is the correct way to accomplish this now?

All I could find with a bit of Googling was (1) a bunch of sites with
examples essentially the same as mine, and (2) a complaint from someone
on SuSE 9.1 who is seeing the same thing I'm seeing.

--
--Tim Smith

In article
<reply_in_group-(E-Mail Removed)>,
Tim Smith <(E-Mail Removed)> wrote:

> On my Redhat 9 system, if I do this (lines wrapped to fit):
>
> iptables -t nat -A PREROUTING -p tcp --sport 0:65535 --dport 81 -j
> REDIRECT --to-port 80
> iptables -t nat -A OUTPUT -p tcp --sport 0:65535 --dport 81 -j
> REDIRECT --to-port 80

OK, I've realized there is no need for the --sport here.

....
> Which is the correct behavior? The one that is on the older Redhat
> system, or the one on the SuSE system?

After more experimenting, I've determined the following:

1. Works on Redhat 9 (iptables 1.2.something)
2. Works on CentOS 4 (iptables 1.2.11)
3. Works on Ubuntu (iptables 1.3.1)
4. Fails on SuSE 9.1 (iptables 1.2.9)
5. Fails on SuSE 9.2 (iptables 1.2.11)
6. Fails on SuSE 10.0 (iptables 1.3.3)

It looks like SuSE is simply broken.

--
--Tim Smith

I have tried your example on my system and all seems fine. Here's my
data:

thomas@dharma:~> cat /etc/SuSE-release
SUSE LINUX 10.0 (i586)
VERSION = 10.0


thomas@dharma:~> /usr/sbin/iptables --version
iptables v1.3.3


thomas@dharma:~> sudo /usr/sbin/iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:hosts2-ns redir ports 80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:hosts2-ns redir ports 80


thomas@dharma:~> telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /index.html.en
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Test Page for Apache Installation</title>
</head>
....

So as you can see, my system seems to function as expected. Maybe it
would be best if you forwarded to us a sanitized listing of your rules
and possibly a snippet from your logs.

SB

In article <(E-Mail Removed) .com>,
"Secure Buddha" <(E-Mail Removed)> wrote:
> So as you can see, my system seems to function as expected. Maybe it
> would be best if you forwarded to us a sanitized listing of your rules
> and possibly a snippet from your logs.

Actually, the rules I posted were all of my rules. I'm starting from a
system with all policies set to accept, and no rules.

Have you rebuilt your kernel? Doing a bit more searching, I found the
problem: CONFIG_IP_NF_NAT_LOCAL.

On my SuSE systems, the kernel that came with them does not have that
enabled. Changing it to CONFIG_IP_NF_NAT_LOCAL=y and rebuilding the
kernel makes it work.

What do you get if you do this?

zcat /proc/config.gz | grep NAT

Is CONFIG_IP_NF_NAT_LOCAL listed?

--
--Tim Smith

Here's my stdout:

thomas@dharma:~> zcat /proc/config.gz | grep NAT
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_BRIDGE_EBT_T_NAT=m
CONFIG_BRIDGE_EBT_DNAT=m
CONFIG_BRIDGE_EBT_SNAT=m
# CONFIG_ECONET_NATIVE is not set
CONFIG_NATSEMI=m

Oddly enough my kernel config does not show the kernel option you
stated. So is everything fine with your traffic redirection now? My
system is default to accomodate a support agreement. Here's my release
info:
thomas@dharma:~> uname -a
Linux dharma 2.6.13-15.8-default #1 Tue Feb 7 11:07:24 UTC 2006 i686
athlon i386 GNU/Linux

On Tue, 28 Mar 2006 08:15:57 GMT, Tim Smith <(E-Mail Removed)> wrote:

>Actually, the rules I posted were all of my rules. I'm starting from a
>system with all policies set to accept, and no rules.

Foolish, one starts with INPUT & FORWARD policy DROP and allows certain
traffic, anything else and you'll be 0wned before you get it right, no?

> zcat /proc/config.gz | grep NAT

Of course this does sweet FA for those with 2.4 kernels or those who
didn't select the config.gz option... Doh!

Grant.
--
Memory fault -- brain fried

In article <(E-Mail Removed)>,
Grant <(E-Mail Removed)> wrote:
> >Actually, the rules I posted were all of my rules. I'm starting from a
> >system with all policies set to accept, and no rules.
>
> Foolish, one starts with INPUT & FORWARD policy DROP and allows certain
> traffic, anything else and you'll be 0wned before you get it right, no?

Getting to that machine from the internet would require getting past a
NAT router, a firewall, a couple more firewalls, and I think one more
NAT router. I can live with the risk. :-)

It's a system in a test lab. INPUT is open so that anyone testing any
kind of server on it can reach it from their clients. It's the OUTPUT
that I need to close off, so that test software can't accidently reach,
say, production databases.


> > zcat /proc/config.gz | grep NAT
>
> Of course this does sweet FA for those with 2.4 kernels or those who
> didn't select the config.gz option... Doh!

The person I was responding to has SuSE 10, which has a 2.6 kernel and
is compiled with that option.


--
--Tim Smith

In article <(E-Mail Removed) .com>,
"Secure Buddha" <(E-Mail Removed)> wrote:
> Oddly enough my kernel config does not show the kernel option you
> stated. So is everything fine with your traffic redirection now? My
> system is default to accomodate a support agreement. Here's my release
> info:
> thomas@dharma:~> uname -a
> Linux dharma 2.6.13-15.8-default #1 Tue Feb 7 11:07:24 UTC 2006 i686
> athlon i386 GNU/Linux

Same kernel I've got on my SuSE 10 system. Redirection does not work
until I recompile, adding the CONFIG_IP_NF_NAT_LOCAL option.

Google for CONFIG_IP_NF_NAT_LOCAL and you'll find others have seen the
same thing. I have no idea why it works on yours. Something is very
weird here!


--
--Tim Smith