Solved

http port forwarding from a specific maching?

Posted on 2004-09-07
6
171 Views
Last Modified: 2010-04-22
Hello,

I am trying to configure my box to forward http requests from specific machines(ie 10.100.100.19) to another box running a webserver (ie10.100.100.25).

I am new to iptables but from what I have read, the following rules should work but I always get a timeout.  

Can anyone point out what I am doing wrong?

Thanks for help.

$ iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 10.100.100.19
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
0
Comment
Question by:joleger
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11996857
I would add the forward rules first and then I would suggest you put the rule POSTROUTING before the one PREROUTING.
It seems that you start routing your traffic to 10.100.100.25 before it has been allowed on the machine 10.100.100.19.
And put a logging rules so you can at least see something.

0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 150 total points
ID: 11996893
iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

this should clear it up so assume INTERNET= 10.100.100.19 and Local = 10.100.100.25
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 12000349
iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25:80
# assuming that you still have propper rules in FORWARD chain
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:joleger
ID: 12163805
Sorry for not getting back to this sooner. (was on vacation)

I still can't get it to work.  I have tried many variations of the comments above.

Goal: Have web requests coming from 10.100.100.19 destined to my box 10.100.100.2 redirected to 10.100.100.25

Here are the current rules I have added to 10.100.100.2

#  iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#  iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
#  iptables -A PREROUTING -t nat -p tcp  --dport 80 -j DNAT --to 10.100.100.25:

Tcpdump from 10.100.100.2:

16:50:49.628042 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628085 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628416 arp who-has 10.100.100.19 tell 10.100.100.25
16:50:52.588893 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:52.588910 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598427 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598444 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


Tcpdump from 10.100.100.25:
(I know the date is wrong)
13:54:46.422461 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422557 arp who-has 10.100.100.19 tell 10.100.100.25
13:54:46.422714 arp reply 10.100.100.19 is-at 0:10:a4:16:4a:57
13:54:46.422721 10.100.100.25.http > 10.100.100.19.1189: S 917277770:917277770(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422961 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:49.383291 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383319 10.100.100.25.http > 10.100.100.19.1189: S 920238570:920238570(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383541 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:55.392906 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.392926 10.100.100.25.http > 10.100.100.19.1189: S 926248180:926248180(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.393157 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0


Any more suggestions?  I have /proc/sys/net/ipv4/ip_forward set to 1.  
Do I have to set any rules on 10.100.100.25?  
Do I need a POSTROUTEING rule?

I need help.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168021
please post result of:
  iptables. -l -n -v -t nat && iptables. -l -n -v -t  mangle && iptables. -l -n -v
0
 

Author Comment

by:joleger
ID: 12595298
my system = 10.100.100.99

This worked for me.
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j SNAT --to 10.100.100.99


I have since changed it to be interface based as opposed to ip based
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -o eth0 --dport 80 -j SNAT --to 10.100.100.99

Thanks for all the replies
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question