Other Rewrite destination address for outgoing packets

Hi all,

does anyone know if it is possible to change the destination address for local generated outgoing traffic? I try to achieve that traffic with a destination address to 1.2.3.4 gets rewritten to 10.10.10.10. I tried to implement that rules in pf and ipfw without success.

In general I want to rewrite the source and destination address that "public" traffic gets rewritten to "internal" traffic. This is necessary because I want to remove the public IP on a server and during the migration connections to that public address should be rewritten to the internal address.

Thank you in advance.
 
That's what PF's rdr does, it rewrites the destination address (and optionally the destination port).

In general I want to rewrite the source and destination address that "public" traffic gets rewritten to "internal" traffic.
Note that you cannot "bounce" traffic out the same interface it came in on with PF.
 
But it doesn't do that for local generated traffic, it only works for incoming traffic (man page output: ...redirecting port 80 on an external interface to an internal web server will only work for connections originating from the outside...)?

connection from source server (ip 1.2.3.3) to destination server 1.2.3.4 on port 1234:
$ nc 1.2.3.4 1234 -v

pf rule on source server (which doesn't have any matches):

# pfctl -Psn -vv
@0 rdr pass log on v1 inet proto tcp from 1.2.3.3 to 1.2.3.4 port = 1234 -> 10.10.10.10
[ Evaluations: 5257 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 1014 State Creations: 0 ]


tcpdump on source server (no address has been rewritten):
15:08:56.433879 IP 1.2.3.3.16665 > 1.2.3.4.1234: Flags [S], seq 230203644, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1408901404 ecr 0], length 0
 
This is necessary because I want to remove the public IP on a server and during the migration connections to that public address should be rewritten to the internal address.
This is a simple redirect on the external interface; rdr on $ext_if from any to ($ext_if) port 1234 -> $internalIP port 1234

Traffic originating from inside however will need special attention, this is called hairpinning. You can often do this with a simple redirect on the internal interface. But keep in mind that you cannot 'bounce' that traffic out the same interface it came in on.

But it doesn't do that for local generated traffic,
Local traffic doesn't pass an interface at all.

Is this for a webservice? Or is this some other TCP service you need to redirect? If it's plain web traffic I would put net/haproxy on the host and let that do the connection to the backend. This solves different problems at once. Your services all still connect to the external IP address, regardless if the traffic originates from the internet or internal. Because HAProxy is a proxy you don't have the redirection problems.
 
Back
Top