Link to home
Start Free TrialLog in
Avatar of Filips Houbrechts
Filips HoubrechtsFlag for Belgium

asked on

IPTables rerouting

Hi,

I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:

-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999

The problem is that when the application answers to localhost so I don't get a reply.

How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:

-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443

Who can help me?
Thanks in advance
Filips
Avatar of Pablo Allietti
Pablo Allietti
Flag of Uruguay image

try with this

iptables -A INPUT -i lo -j ACCEPT
The rules you want are these:

-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
Avatar of Filips Houbrechts

ASKER

I tried it but I get this error:

[code=INVALID_TUNNEL_PORT] Tunneling is not allowed on this port. Contact your system administrator.

Any idea?
There is a service running on that port? (port 443 that is)
I checked with netstat and no, on IP xxx.xxx.xxx82 port 443 is free (443 = https right?)
It must be some local condition of the system you are working on. I ran this command on my local box:

iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443

Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
Nope, I'm root. The rule was acepted alright but it seems not to work. Is there any way to see some extra log info so I could trace the problem?
SOLUTION
Avatar of de2Zotjes
de2Zotjes
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
> The problem is that when the application answers to localhost so I don't get a reply.
why does it answer to localhost instead of the correct IP? Fix the application.
I guess the application get a request from xxx.xxx.xxx.81:24999 because of the PREROUTING and so answers to that same address (not to localhost).
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I didn't manage to make a connection yet. Instead I tried it with webmin and it worked, that is, I can contact my server through port 443 and do most of the tasks I want to do.

Thanks
Filips