On Thu, Jan 04, 2007 at 10:57:44AM -0500, Jim Sandoz wrote: > > Gary Mills wrote: > >I'm using ipfilter 4.1.13 on a Solaris 9 machine that has only one > >ethernet interface. I'd like to intercept TCP packets arriving on > >that interface for a specific port and redirect them to another > >machine on the same network. I only want to alter the destination > >IP address, leaving the source IP address intact so that client > >logging will work correctly. I've tested a few ipfilter rules that > >I expected to work, but none of them did: > > > > rdr hme0 0.0.0.0/0 port 23 -> xxx.yyy.16.57 port 23 > > block in quick on hme0 to hme0:xxx.yyy.16.57 proto tcp from any to > > any port = 23 > > block in quick on hme0 dup-to hme0:xxx.yyy.16.57 proto tcp from any > > to any port = 23 > > http://www.phildev.net/ipf/IPFprob.html#prob8 > > >I've since read that this is impossible, because the kernel can't route > >a packet back to the interface on which it just arrived. > > if the kernel can't or doesn't want to do it, get a userland > program to do it. > e.g. > http://marc.theaimsgroup.com/?l=ipfilter&w=2&r=1&s=bounce&q=b > leads to > http://marc.theaimsgroup.com/?l=ipfilter&m=105309920505392&w=2 > leading to things like > http://www.freshports.org/net/bounce > http://gatekeeper.dec.com/pub/BSD/NetBSD/NetBSD-current/pkgsrc/net/bounce/README.html > and even > http://locutus.kingwoodcable.com/jfd/java/tcp/tcp.html
I've already found most of those. There are lots of daemons that will forward TCP connections. I've tried some of them. The problem with them is that they initiate new connections. That means that the originating IP address is lost. I want to preserve that information so that client logging works correctly on the destination server. > > Is there really > >no way to accomplish this with ipfilter? It seems so simple! > > though it may be simple it is not a function of ipfilter. Could reflection be added to ipfilter? I understand that some cluster products have one node advertize a shared IP address and then redirect connections to that address to other nodes in the cluster for load balancing. So, it's certainly possible. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
