Hello,
On Tue, 5 Jun 2001, Roberto Nibali wrote:
> Hi Julian,
>
> > This is handled from the protocol, TCP in this case:
> >
> > grep redirport net/ipv4/*.c
>
> :) as always
>
> > The higher layer (telnet in this case) can obtain the two dest
> > addr/ports by using getsockname(). In 2.4 this is handled additionally
> > by using getsockopt(...SO_ORIGINAL_DST...)
>
> Neat option!
>
> > The netfilter mailing list contains examples on this issue.
> > You can search for "getsockname":
> >
> > http://marc.theaimsgroup.com/?l=netfilter&r=1&w=2
>
> Thanks for the pointer. Problem: Under 2.2.x and ipchains you cannot
> redirect to a local listener unless it listens to INADDR_ANY. This is
> a pain in the ass! Under 2.4.x this is possible. How would I need to
> modify the source (I reckon it's ip_local_deliver() again) in the 2.2.x
> kernel to be able to a redirection to a local listener (e.g. 127.0.0.1)?
What about using socket option SO_BINDTODEVICE, again with
INADDR_ANY? I have never tried it but may be it can help. I assume
you need to bind to internal device where the -j REDIRECT is placed too.
I assume this server port will not be accessible through other devices?
References:
net/core/sock.c: sock_setsockopt()
net/ipv4/# grep bound_dev_if *.c|less
man 4 socket
> I need this for the SuSE ftp-proxy which needs a -j REDIRECT rule but
> has to listen on INADDR_ANY. This is a nasty security issue because then
> you have to protect the daemon.
>
> Best regards,
> Roberto Nibali, ratz
>
> --
> mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`
Regards
--
Julian Anastasov <ja@xxxxxx>
|