SO_ORIGINAL_DST, good news

hellwolf|misty Hi every one who can tell me exactly what implicit source local NAT is?
jengelh well
jengelh at least it's taken out
jengelh -t nat -A OUTPUT -j DNAT --to-dest (non-127.0.0.1)
jengelh that would require to modify the source address _within_ DNAT, that's "implicit source local nat"
jengelh and it's been taken out in 2.6.12
jengelh but I think there is a workaround to get it back
hellwolf|misty And when I do so, I will get a kernel message:NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n,and I never understand what does it mean...
jengelh Yeah that's it
jengelh though
hellwolf|misty yeah thanks. And another question,# iptables -t nat  -I OUTPUT -d 1.2.3.4 -j DNAT --to 127.0.0.1. # nc -vvv -l  8888 &
hellwolf|misty [1] 2038
hellwolf|misty # nc 1.2.3.4 8888&
hellwolf|misty [2] 2039,I will get tcp        0      0 127.0.0.1:8888              222.185.xx.xx:1025. the port 1025 looks so strange
jengelh the messagei s
jengelh                 printk("NAT: no longer support implicit source local NAT\n");
jengelh                 printk("NAT: packet src %u.%u.%u.%u -> dst %u.%u.%u.%u\n",
jengelh hm DNAT to 127.0.0.1 should work though
jengelh and in fact, works for me
jengelh well, if -s 127.0.0.1 and -d 127.0.0.1
jengelh --
jengelh NAT: no longer support implicit source local NAT
jengelh NAT: packet src 127.0.0.1 -> dst 192.168.222.34
jengelh iptables -t nat -A OUTPUT -d wideland -p tcp --dport 23 -j DNAT --to-dest 127.0.0.1:22
jengelh But I still get my openssh banner upon telnet wideland 23
jengelh What does not work is iptables -t nat -A OUTPUT -p tcp --dport 23 -j DNAT --to-dest 192.168.222.34:139 (no message either)
hellwolf|misty Now I have a application that listen on port 8888, and I REDIERCT all Local connection to this port, I want this appliction know where they wanto go
hellwolf|misty I try to collect those information from /proc/net/ip_conntrack
jengelh What?
jengelh Please state your redirect wish
hellwolf|misty Sorry for my broken english.--;;
jengelh it's fine
hellwolf|misty I have application A that listen on port 8888, and -I OUTPUT -j REDIRECT --to-ports 8888. And now I want  A know where the connection really want to go(if not REDIRECTED)
jengelh where it came from?
hellwolf|misty local
hellwolf|misty local output
jengelh yes, yes -t nat -I OUTPUT always comes from 127.0.0.1...
jengelh -j REDIRECT => always dst=127.0.0.1
hellwolf|misty well, for instance: nc www.google.com 80, it REDIRECT to localhost:8888,and A capture this connect, and how can A know I want to  google?
jengelh it can't
Hidden of course it _can_
hellwolf|misty But I feel that in /proc/net/ip_conntrack, there's enough infomation
hellwolf|misty Hidden: How to?
Hidden although only for TCP connection at the moment
hellwolf|misty Hidden: sounds greate
Hidden using the SO_ORIGINAL_DST socket option and getsockopt()
jengelh Yeah and by expecting the layer7 data
jengelh heh
jengelh Host: header
jengelh dammit, 8888 and 80 sounds like you want transparent proxying, try tproxy :D
hellwolf|misty THANKS all...!!
Hidden yes, but that works only for HTTP
jengelh Hidden : That's all squid needs.
hellwolf|misty only for HTTP?
Hidden you probably don't need tproxy if you don't care about transparency
Hidden hellwolf|misty: I meant the 'Host:' header jengelh has mentioned
jengelh I really need to write a new transparent proxyings howto (with all new stuff invented in 2005)
Hidden hellwolf|misty: the getsockopt() way works for all TCP connections
hellwolf|misty well, I even written a kmodule to do so. SO_ORIGINAL_DST..new to me

原文轉自：http://www.kjueaiud.com