Layer 7 based routing with Thibor 15c

Discussion in 'HyperWRT Firmware' started by weini, Jan 6, 2007.

  1. weini

    weini Network Guru Member

    I want to forward HTTPS connections to port 443 of my router to port 443 of an internal server and forward SSH connections to port 443 of my router to port 22 of the internal server.

    From my understanding this should be possible with the Layer 7 features of iptables available in Thibor 15.

    Could someone give me a starting point or possibly share your experience in setting up such a scenario?

    Regards & TIA
  2. Thibor

    Thibor Super Moderator Staff Member Member

    that's a novel idea, have to admit i never thought of using it to route packets on the same port. anyway, this should give you a starting point to work from
    "iptables -I INPUT -m layer7 --proto ssl --dport 443 -j DNAT --to-destination", and
    "iptables -I INPUT -m layer7 --proto ssh --dport 443 -j DNAT --to-destination"
    "iptables -A FORWARD -p tcp -m tcp -d --dport 443:443 -j ACCEPT"
    "iptables -A FORWARD -p tcp -m tcp -d --dport 22:22 -j ACCEPT"

    the syntax of these rules may or may not be correct, but you get the idea and should give you a starting point.
  3. lwf-

    lwf- Network Guru Member

    Very clever! Please tell if its successful.
  4. weini

    weini Network Guru Member

    Test results

    I did some tests but had no success up till now!

    For testing, I ended up with the following rules:

    iptables -t mangle -I PREROUTING -p tcp -m layer7 --l7proto ssl --in-interface ppp+ --dport 443 -j MARK --set-mark 22

    iptables -t nat -I PREROUTING -p tcp -m mark --mark 22 -j DNAT --to-destination 192.168.x.y:563

    I had no luck using layer7 in the nat table and I read some comments, that layer7 is usually used in the mangle table, so I divided the stuff into two rules.
    The FORWARD stuff is setup correctly since I already defined forwards via the GUI.

    For testing purposes I tried

    iptables -t nat -I PREROUTING -p tcp -m tcp --dport 443 --in-interface ppp+ -j DNAT --to-destination 192.168.x.y:563

    without the above rules and it works ok.

    What really confuses me is the following:
    If I issue "iptables -t mangle -L -v" immediately after trying to access my webserver, I see 0 packets passed. About a minute later I see there are packets handled by the rule in the mangle table, but none get handled by the nat table.

    This raises the following questions:

    1) Is there a known delay for showing up the statistics on a "iptables -L -v"?
    2) Is my asumption correct, that only the first rule in a chain that matches all criterias get handled?
    3) How the hell may I debug these rules more properly (how would the LOG stuff got written)?
  5. weini

    weini Network Guru Member

    So far this turns out to be much more complex as I thought!

    The key issue is, that the layer 7 filters are only able to distinguish the protocol type starting from the third package of a connection.

    A workaround may be to duplicate the first two packets of a connections and send them to both potential targets (the https and the ssh server).

    For duplicating packates the ROUTE target of iptables seems to be a proper solution. I´ll test this in more detail.

    @Thibor: Thanks so far for using a recent iptables version for your firmware mod. Do you know if the ROUTE target is also supported? I´ll try to test it this evening.

    Has anybody else any clues how we may be able to duplicate a packet in iptables or somewhere else?
  6. Thibor

    Thibor Super Moderator Staff Member Member

    not route, sorry. you can check yourself via proc. it's /proc/net/ip_tables_targets and ip_tables_matches
  7. weini

    weini Network Guru Member

    So I see no chance to implement a "split" without the ability to duplicate packets.

    Is anybody aware if any other WRT54 firmware has the ROUTE target for iptables included?
  8. Thibor

    Thibor Super Moderator Staff Member Member

    i'll put it in 16, but if you need it sooner, you'll just have to recompile 15c yourself
  9. weini

    weini Network Guru Member

    I´ll kindly wait for it !!!!

    If you need beta testers (really beta, not alpha), I´m here!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice