Home / server / Questions / 351816
In Process
cdauth
Asked: 2012-01-21 01:49:45 +0800 CST

DNAT to 127.0.0.1 with iptables / Destination access control for transparent SOCKS proxy

  • 772

I have a server running on my local network that acts as a router for the computers in my network. I want to achieve now that outgoing TCP requests to certain IP addresses are tunnelled through an SSH connection, without giving the people from my network the possibility to use that SSH tunnel to connect to arbitrary hosts.

The approach I had in mind until now was to have an instance of redsocks listening on localhost and to redirect all outgoing requests to the IP addresses I want to divert to that redsocks instance. I added the following iptables rule:

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 -j DNAT --to-destination 127.0.0.1:12345

Apparently, the Linux kernel considers packets coming from a non-127.0.0.0/8 address to an 127.0.0.0/8 address as “Martian packets” and drops them. What worked, though, was to have redsocks listen on eth0 instead of lo and then have iptables DNAT the packets to the eth0 address instead (or using a REDIRECT rule). The problem about this is that then every computer on my network can use the redsocks instance to connect to every host on the internet, but I want to limit its usage to a certain set of IP addresses only.

Is there any way to make iptables DNAT packets to 127.0.0.1? Otherwise, does anyone have an idea how I could achieve my goal without opening up the tunnel to everyone?

Update: I have also tried to change the source of the packets, without any success:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 1.2.3.4 -j SNAT --to-source 127.0.0.1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 127.0.0.1 -j SNAT --to-source 127.0.0.1
linux iptables

3 Answers

  1. You cannot do this trick with 127/8 network as it is treaded specially inside linux kernel. But you can create dummy network interface, assign ip address to it, bind your service to this address and do NAT.

    root@vm8583:~# ip link add bogus type dummy
root@vm8583:~# sysctl net.ipv4.conf.eth0.arp_ignore=3
root@vm8583:~# ip addr add 10.0.0.1/32 bogus scope host
root@vm8583:~# ip link set bogus up
root@vm8583:~# ip link show bogus
4: bogus: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT 
    link/ether 5e:8b:38:f3:46:ce brd ff:ff:ff:ff:ff:ff

    Note, you may need to set net.ipv4.conf.eth0.arp_ignore=3 so your server won't answer to ARP requests for 10.0.0.1 incoming via eth0:

    arp_ignore - INTEGER
    Define different modes for sending replies in response to
    received ARP requests that resolve local target IP addresses:
. . .
    3 - do not reply for local addresses configured with scope host,
    only resolutions for global and link addresses are replied
    4-7 - reserved
    • 5

  2. I found the solution to my dnat to 127.0.0.1(loopback) failing, got the answer on the netfilter irc channel.

    There is a sysctl setting allowing dnat to loopback. To allow it

    sysctl -w net.ipv4.conf.eth0.route_localnet=1

    and to check the setting

    cat /proc/sys/net/ipv4/conf/eth0/route_localnet
    • 3

  3. You could try disabling reverse path filtering instead (which AFAICT is what is meant by the term "martian"). You can do this with echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter as root. (You may be able to only disable it on the lo interface, but I would try disabling it completely at first.)

    • 0