0

I just got a VPS with an IPv4 address as well as a bunch of IPv6 addresses configured and I'm new to routing in Ubuntu/Linux. I would like to route requests with a specific IPv6 and port (i.e. port 80) as destination to a specific port on that address (i.e: port 8000).

In pseudo-code, what I want is the following:

if($DESTINATION_IP == [specific IPv6-address]:80)
    route to port: 8000

When an application is listening on [specific IPv6-address]:8000, it will receive the requests sent to [specific IP-address]:80. But when I use [another IPv6-address]:80, it will not route to that port.

It seems pretty simple and I think I would have to use ip6tables for the job, but I don't know how to achieve this.

Many thanks.

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184
arothuis
  • 63
  • 1
  • 1
  • 5
  • Could you not just set the service to listen on port 80 for the specific address in the first place? – norrland Oct 15 '13 at 12:58
  • 1
    Thanks. That is one option I considered. But as I understand it, a service listening to ports < 1024 needs root/su access. Port 80 is just an example (the port most webservices use). I want to be able to route to another port when someone reaches my VPS with a specific IPv6-address as a destination, without having to grant root access to the service. – arothuis Oct 15 '13 at 13:29
  • 1
    It is probably easier to listen on port 80 or another port and route/proxy with that application (i.e. by using a webserver). Although it's not quite the solution to the problem described here, it is the solution to the underlying problem. – arothuis Oct 16 '13 at 10:32
  • While it may be easier to install a new application to function as a proxy, it's not necessarily simpler as it adds complexity to the software stack. Adding Apache + mod_proxy to replace a basic functionality of iptables seems rather klunky. – Stefan Lasiewski Oct 23 '14 at 17:16

1 Answers1

1

You cannot forward ports with ip6tables, as the relevant netfilter targets are IPv4-only (due to their relation to NAT, which IPv6 gets rid of).

The best solution, of course, is to have the application listen on the correct address and port to begin with, and then drop privileges.

If you really need to do this, because you have a poorly written application that can't listen on ports below 1024, set up xinetd to do the port forwarding. For instance (this is untested):

service dumb-app
{
    flags       = IPv6
    type        = UNLISTED
    socket_type = stream
    protocol    = tcp
    wait        = no
    user        = root
    bind        = 2001:db8::f04d
    port        = 80
    redirect    = ::1 8000
}
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I went with the 'best solution' after all. In my case it proved to be way easier to indeed use nginx (or another webservice meant for this) to listen on port 80 (or another port) and proxy to another port, based on the hostname or path. I did not try your xinetd solution, but it might be useful for future reference. I will edit the example port 1000 in my question, because you use a different example and port 1000 is <1024. – arothuis Oct 16 '13 at 10:29
  • @StefanLasiewski Exactly, IPv4 is not involved. What are you trying to say? – Michael Hampton Oct 23 '14 at 16:20
  • How would one do this with ip6tables only? Can `ip6tables` direct `[specific IPv6-address]:443` to either `[specific IPv6-address]:8443` or to the localhost/loopback address `[::1]:8443`? `iptables` did this [using the NAT table](https://stackoverflow.com/questions/24736543/tomcat-7-automatically-redirect-https-requests-to-port-8443), but NAT isn't supported in the CentOS5 version of netfilter. – Stefan Lasiewski Oct 23 '14 at 16:40
  • (Side note: I read that [Kernel >= 3.9.0 & ip6tables version 1.4.18 provides NAT again](http://mirrors.bieringer.de/Linux+IPv6-HOWTO/nat-netfilter6..html)) – Stefan Lasiewski Oct 23 '14 at 16:40
  • @StefanLasiewski That's what I said! – Michael Hampton Oct 23 '14 at 16:41
  • As I read your question, you are saying that ip6tables cannot forward to an IPv4 target. That makes sense, since we're talking about *ip6&tables. I simply want to use ip6tables to direct one port to a different port. I inherited this software, I need to enable it for IPv6 with as few changes as possible, and I'd like to avoid using yet-another-piece-of-software like xinetd or an Apache proxy. – Stefan Lasiewski Oct 23 '14 at 16:49