Filips Houbrechts
asked on
IPTables rerouting
Hi,
I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:
-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
The problem is that when the application answers to localhost so I don't get a reply.
How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:
-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
Who can help me?
Thanks in advance
Filips
I'm working with RH 9 with several virtual interfaces bound to several ip addresses. My "main" IP is xxx.xxx.xxx.81 a second IP is xxx.xxx.xxx.82.
xxx.xxx.xxx.81 handles all "normal" requests on ports 80,443,25,110, etc.
I have an application running on port 24999. When connecting from another site without firewall restrictions I just can access it on xxx.xxx.xxx.81:24999.
On a third site there are firewall restrictions and I can only get out through port 80 and 443. So I managed to implement the following rerouting through the second interface on xxx.xxx.xxx.82:
-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
-A PREROUTING -p udp -m udp -d xxx.xxx.xxx.82 --dport 443 -j REDIRECT --to-ports 24999
The problem is that when the application answers to localhost so I don't get a reply.
How can I tell the server that the reply has to go via xxx.xxx.xxx.82 port 443 ? I tried several things but it didn't work. I guess it has to be something that looks like this:
-A PREROUTING -p tcp -m tcp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
-A PREROUTING -p tcp -m udp -s xxx.xxx.xxx.82 --sport 24999 -j REDIRECT --to-ports 443
Who can help me?
Thanks in advance
Filips
The rules you want are these:
-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
-A POSTROUTING -p tcp -m tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
rule for udp is basically the same.
ASKER
I tried it but I get this error:
[code=INVALID_TUNNEL_PORT] Tunneling is not allowed on this port. Contact your system administrator.
Any idea?
[code=INVALID_TUNNEL_PORT]
Any idea?
There is a service running on that port? (port 443 that is)
ASKER
I checked with netstat and no, on IP xxx.xxx.xxx82 port 443 is free (443 = https right?)
It must be some local condition of the system you are working on. I ran this command on my local box:
iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
iptables -t nat -A POSTROUTING -p tcp -s localhost --sport 24999 -j SNAT --to xxx.xxx.xxx.82:443
Is was excepted without complaints, I was offcourse root when I ran this. You are by any change trying to run this iptables stuff through sudo ?
ASKER
Nope, I'm root. The rule was acepted alright but it seems not to work. Is there any way to see some extra log info so I could trace the problem?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> The problem is that when the application answers to localhost so I don't get a reply.
why does it answer to localhost instead of the correct IP? Fix the application.
why does it answer to localhost instead of the correct IP? Fix the application.
ASKER
I guess the application get a request from xxx.xxx.xxx.81:24999 because of the PREROUTING and so answers to that same address (not to localhost).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I didn't manage to make a connection yet. Instead I tried it with webmin and it worked, that is, I can contact my server through port 443 and do most of the tasks I want to do.
Thanks
Filips
Thanks
Filips
iptables -A INPUT -i lo -j ACCEPT