ip6tables redirect

ip6tables redirect

[Fred Zwarts]

[-- Attachment #1: Type: text/plain, Size: 1286 bytes --]

We are moving from an IPv4 only environment to a mixed IPv4/IPv6 environment.
As a part of this exercise, we also need to transform our iptables settings to settings for ip6tables.
This seems to work, apart for one item, which is a redirection of a tcp port of one of our servers to another port on the same server.
On this server, we use for iptables a REDIRECT for the nat table.
This does not work for ip6tables. It complains that it does not know the option --to-port.
My question is how to do such a port redirect with ip6tables.

When I searched the archives of this mailing list, I found that this question pops up about once every two years, 
but a real answer I could not find. The contribution that comes the closest to an answer is from 5 years ago:
http://marc.info/?l=netfilter&m=111219622601073&w=2
I fully agree with what is said there about NAT.
But I wonder whether the discussions, mentioned there, are still continuing, or that it resulted in some decision
and whether something has been implemented in these five years.
(Is there someone with inside information from the core team?)
If nothing has been implemented yet, are there plans to do so in the near future, 
or are there any recommendations for alternative solutions?

Regards,
Fred.Zwarts.

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Fred Zwarts.vcf --]
[-- Type: text/x-vcard; name="Fred Zwarts.vcf", Size: 668 bytes --]

BEGIN:VCARD
VERSION:2.1
N:Zwarts;Fred;;Dr
FN:Fred Zwarts
ORG:KVI;IT
TITLE:Software system developer
TEL;WORK;VOICE:+31 (0)50 363 3619
TEL;HOME;VOICE:+31 (0)50 302 3635
TEL;WORK;FAX:+31 (0)50 363 4003
ADR;WORK:;;Zernikelaan 25;Groningen;Groningen;9747 AA;The Netherlands
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Zernikelaan 25=0D=0AGroningen, Groningen 9747 AA=0D=0AThe Netherlands
ADR;HOME:;;Meeuwstraat 6;Ten Boer;Groningen;9791 GE;The Netherlands
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:Meeuwstraat 6=0D=0ATen Boer, Groningen 9791 GE=0D=0AThe Netherlands
EMAIL;PREF;INTERNET:F.Zwarts@KVI.nl
EMAIL;INTERNET:F.Zwarts@HetNet.nl
REV:20101202T121534Z
END:VCARD

Re: ip6tables redirect

[Jan Engelhardt]

On Thursday 2010-12-02 13:15, Fred Zwarts wrote:

>We are moving from an IPv4 only environment to a mixed IPv4/IPv6 environment.
>On this server, we use for iptables a REDIRECT for the nat table.
>This does not work for ip6tables. It complains that it does not know the option --to-port.
>My question is how to do such a port redirect with ip6tables.

Using -j TPROXY and appropriate local routing, I would say.

Re: ip6tables redirect

[Fred Zwarts]

"Jan Engelhardt" jengelh@medozas.de wrote:
>> On Thursday 2010-12-02 13:15, Fred Zwarts wrote:
>> 
>>> We are moving from an IPv4 only environment to a mixed IPv4/IPv6
>>> environment. 
>>> On this server, we use for iptables a REDIRECT for the nat table.
>>> This does not work for ip6tables. It complains that it does not know
>>> the option --to-port. My question is how to do such a port redirect
>>> with ip6tables. 
>> 
>> Using -j TPROXY and appropriate local routing, I would say.

Thanks for the suggestion, but I cannot find documentation fro TPROXY,
nor for the local routing.

The IPV4 definition is as follows:

iptables -A PREROUTING -t nat -p tcp --dport 8080 -j REDIRECT --to-port 587

For ip6tables I tried:

ip6tables -A PREROUTING -t mangle -p tcp --dport 8080 -j TPROXY --on-port 587

and

ip6tables -A PREROUTING -t mangle -p tcp --dport 8080 -j TPROXY --to-port 587

But then it complains again that it does not know option --to-port or --on-port.
So, how should I specify the port to which the packet should be redirected?

Re: ip6tables redirect

[Jan Engelhardt]

On Thursday 2010-12-02 15:55, Fred Zwarts wrote:
>
>Thanks for the suggestion, but I cannot find documentation fro TPROXY,
>nor for the local routing.

>ip6tables -A PREROUTING -t mangle -p tcp --dport 8080 -j TPROXY --to-port 587
>
>But then it complains again that it does not know option --to-port or --on-port.

Hm this seems to be an unspotted omission (bluntly, a bug) in
the userspace tool. I'll get to that ASAP.

Re: ip6tables redirect

[Puneet Mohan]

Hello Fred.Zwarts,

I am also stuck at the same point, 
have to do redirect
for ip6tables to some other local port. 
Did u get any
work around for the problem.

Regards,
Puneet.Mohan

Re: ip6tables redirect

[Jan Engelhardt]

On Thursday 2010-12-02 21:01, Jan Engelhardt wrote:

>
>On Thursday 2010-12-02 15:55, Fred Zwarts wrote:
>>
>>Thanks for the suggestion, but I cannot find documentation fro TPROXY,
>>nor for the local routing.
>
>>ip6tables -A PREROUTING -t mangle -p tcp --dport 8080 -j TPROXY --to-port 587
>>
>>But then it complains again that it does not know option --to-port or --on-port.
>
>Hm this seems to be an unspotted omission (bluntly, a bug) in
>the userspace tool. I'll get to that ASAP.

Since updates seem to be delayed, for the time being, it is in 
git://dev.medozas.de/iptables since Dec 3.

Re: ip6tables redirect

[Puneet Mohan]

Jan Engelhardt <jengelh <at> medozas.de> writes:

> >>Thanks for the suggestion, but I cannot find documentation fro TPROXY,
> >>nor for the local routing.
> >
>
Hello Mr. Jan Engelhardt,
Thanks for pointing out the version. But even those rules are not getting
applied correctly. Pls point me if I am wrong. I took "Merge commit 'v1.4.10'"
from "http://dev.medozas.de/gitweb.cgi?p=iptables;a=summary"

REAL PROBLEM
>ip6tables -t mangle -A PREROUTING  -j ACCEPT
       	This rule worked perfectly fine.

>ip6tables -t mangle -A PREROUTING  -j TPROXY
       	ip6tables v1.4.10: TPROXY target: Parameter --on-port is required

>ip6tables -t mangle -A PREROUTING  -p tcp  -j TPROXY  --on-port 3128
   	iptables: No chain/target/match by that name

Can you see what exactly the problem is because in the last rule I suppose
chain/target given is correct else the first rule wouldn’t have worked.

Regards,
Puneet.Mohan

Re: ip6tables redirect

[Jan Engelhardt]

On Thursday 2010-12-16 10:45, Puneet Mohan wrote:
>Jan Engelhardt <jengelh <at> medozas.de> writes:
>
>> >>Thanks for the suggestion, but I cannot find documentation fro TPROXY,
>> >>nor for the local routing.
>> >
>>
>Hello Mr. Jan Engelhardt,
>Thanks for pointing out the version. But even those rules are not getting
>applied correctly. Pls point me if I am wrong. I took "Merge commit 'v1.4.10'"
>from "http://dev.medozas.de/gitweb.cgi?p=iptables;a=summary"
>
>REAL PROBLEM
>>ip6tables -t mangle -A PREROUTING  -j ACCEPT
>       	This rule worked perfectly fine.
>
>>ip6tables -t mangle -A PREROUTING  -j TPROXY
>       	ip6tables v1.4.10: TPROXY target: Parameter --on-port is required
>
>>ip6tables -t mangle -A PREROUTING  -p tcp  -j TPROXY  --on-port 3128
>   	iptables: No chain/target/match by that name
>
>Can you see what exactly the problem is because in the last rule I suppose
>chain/target given is correct else the first rule wouldn’t have worked.

It seems your kernel does not have TPROXY v6 support.