0

I have Ubuntu 12.04 on a multi-homed host. I am trying to use iptables to reroute HTTP packets coming in to a certain IP address to another IP address.

From Googling, I believe it is necessary on multi-homed hosts to use CONNMARK to mark incoming connections, so that the related outgoing packets can be matched.

However, when I try to use the phrase '-j CONNMARK' I am told there is no such chain.

How can I use '-j CONNMARK' on Ubuntu 12.04?

bluedog
  • 101
  • 6

2 Answers2

2

You have to load the connmark Kernel module :

sudo modprobe ipt_connmark

Check that the module is loaded :

lsmod | grep connmark
krisFR
  • 12,830
  • 3
  • 31
  • 40
  • I tried that modprobe command and got `WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ipt_connmark not found.` So I installed ipt_connmark which worked. However, the modprobe command still yields the same response. – bluedog Jan 09 '14 at 21:51
  • What is your Kernel version `uname -r` ? – krisFR Jan 09 '14 at 21:55
  • 2.6.32-042stab084.12 – bluedog Jan 09 '14 at 21:59
  • Seems old for `Ubuntu 12.04` !! I have `3.5.0-23-generic` on my Ubuntu 12.04. What is the result for `grep -i connmark /boot/config-2.6.32-042stab084.12` ? – krisFR Jan 09 '14 at 22:05
  • This machine is an image on a micro VM. The welcome message is `Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 2.6.32-042stab084.12 x86_64)`. So perhaps it's a very cut-down version? The /boot folder is empty, so your grep doesn't return anything. – bluedog Jan 09 '14 at 22:11
  • I think your Kernel does not support connmark. Try `find / -name "*2.6.32-042stab084.12*"`. If found, retry `grep` command above to find connmark... – krisFR Jan 09 '14 at 22:23
  • OK, so `grep -i connmark /lib/modules/2.6.32-042stab084.12` returns nothing. Perhaps I should try another image for my VM. And thanks for your help so far! – bluedog Jan 09 '14 at 22:27
  • 1
    You should install official Ubuntu LTS image, from here http://www.ubuntu.com/download/desktop (for Desktop) or here http://www.ubuntu.com/download/server (for Server)...Sorry i cannot help much more in this case...will delete my answer because it is not relevant in your case... – krisFR Jan 09 '14 at 22:34
  • Your answer plus these comments might help someone. – bluedog Jan 09 '14 at 22:57
0

Simple rerouting traffic does not need CONNMARK; rather, do it with a pair of DNAT/SNAT, e.g.:

-t nat -A PREROUTING -d 1.2.3.4 -j DNAT --to-destination 5.6.7.8
-t nat -A POSTROUTING -d 5.6.7.8 -j SNAT --to-source 5.6.7.9

where

  • 1.2.3.4 is the IP address to which people connect
  • 5.6.7.8 is the actual target
  • 5.6.7.9 is the IP of the interface via which the target is reached
pepoluan
  • 4,918
  • 3
  • 43
  • 71
  • I have tried this but it doesn't seem to work. `iptables -t nat -A PREROUTING -d $IN1 --dport 22 -j DNAT --to $telnt iptables -t nat -A POSTROUTING -s $telnt -j SNAT --to $IN1` – bluedog Jan 27 '14 at 20:18
  • 1) the POSTROUTING rule I give you uses `-d` not `-s`. 2) have you enabled ip4_forwarding? – pepoluan Jan 28 '14 at 14:43
  • 2) Yes, forwarding enabled. 1) My test uses telnet but in reality the routes will be for SSL. My understanding is that the packets returning to the original host must appear to come from where they are expected to come from or SSL will complain. – bluedog Jan 28 '14 at 21:31
  • I should also say that the routes work on my machine with a single ethernet card. They don't work on the multi-ethernet machine. That's why I started to think some marks might be needed. Confused. This is a hard topic to Google. – bluedog Jan 28 '14 at 21:38
  • Well, the 'reverse mapping' will be automagically performed by netfilter. The rules I gave you replaces the original Source/Dest address pair with a totally new Source/Dest address pair. The traffic will look like it's coming from the Linux gateway. The target server will reply to the Linux gateway instead of the original source, upon which netfilter will perform 'reverse NAT' twice to restore the original Source/Dest pair. SSL will not complain about IP address; it will complain if the URL does not match the Certificate's name, regardless of the IP Address. – pepoluan Jan 29 '14 at 08:07