I forwarded a port, using system-config-firewall.

The destination machine, not surprisingly, shows the IP address of the
firewall as the source of the connection. The goal is obtaining the
connection's real source IP. However, on the firewall the forwarded
connection isn't reported anywhere by netstat or ss.


After poking around, I found what I was looking for in
/proc/net/nf_conntrack. The forwarded connection was listed there, showing
the connection's real source IP.


But grepping through /proc/net/nf_conntrack seems to be rather quaint.
Neither netstat's nor ss's man page hint at any option that would report on
/proc/net/nf_conntrack in some user-friendly fashion. Is there some other
admin utility that does?



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Sat, 27 Aug 2011 19:46:12 -0400
Sam Varshavchik <mrsam@courier-mta.com> wrote:

> I forwarded a port, using system-config-firewall.
>
> The destination machine, not surprisingly, shows the IP address of
> the firewall as the source of the connection. The goal is obtaining
> the connection's real source IP. However, on the firewall the
> forwarded connection isn't reported anywhere by netstat or ss.

This is a DNAT forward? it should show the IP of whatever machine is
sending the request, not the firewall box in the middle.

> After poking around, I found what I was looking for in
> /proc/net/nf_conntrack. The forwarded connection was listed there,
> showing the connection's real source IP.
>
> But grepping through /proc/net/nf_conntrack seems to be rather
> quaint. Neither netstat's nor ss's man page hint at any option that
> would report on /proc/net/nf_conntrack in some user-friendly fashion.
> Is there some other admin utility that does?

conntrack-tools has a 'conntrack' command line tool.

kevin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

> Sam Varshavchik <mrsam@courier-mta.com> wrote:
>> I forwarded a port, using system-config-firewall.
>>
>> The destination machine, not surprisingly, shows the IP address of
>> the firewall as the source of the connection. The goal is obtaining
>> the connection's real source IP. However, on the firewall the
>> forwarded connection isn't reported anywhere by netstat or ss.

On Sun, Aug 28, 2011 at 1:50 AM, Kevin Fenzi <kevin@scrye.com> wrote:
> This is a DNAT forward? it should show the IP of whatever machine is
> sending the request, not the firewall box in the middle.

As the forwarded port most likely also does SNAT, so the receiving
machine can send its packets back, the receiver has no clue about the
original sender and will show the IP of the firewall.

--
Regards,

André
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

On Sat, Aug 27, 2011 at 7:50 PM, Kevin Fenzi <kevin@scrye.com> wrote:
> On Sat, 27 Aug 2011 19:46:12 -0400
> Sam Varshavchik <mrsam@courier-mta.com> wrote:
>>
>> I forwarded a port, using system-config-firewall.
>>
>> The destination machine, not surprisingly, shows the IP address of
>> the firewall as the source of the connection. The goal is obtaining
>> the connection's real source IP. However, on the firewall the
>> forwarded connection isn't reported anywhere by netstat or ss.
>
> This is a DNAT forward? it should show the IP of whatever machine is
> sending the request, not the firewall box in the middle.
>
>> After poking around, I found what I was looking for in
>> /proc/net/nf_conntrack. The forwarded connection was listed there,
>> showing the connection's real source IP.
>>
>> But grepping through /proc/net/nf_conntrack seems to be rather
>> quaint. Neither netstat's nor ss's man page hint at any option that
>> would report on /proc/net/nf_conntrack in some user-friendly fashion.
>> Is there some other admin utility that does?
>
> conntrack-tools has a 'conntrack' command line tool.

KF1: You missed "on the firewall."

KF2: Thanks, didn't know about "conntrack".

OP: You can make iptdables log your forwarding rule; that log *might*
be more convenient than "/proc/net/nf_conntrack".
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines