Solved

http port forwarding from a specific maching?

Posted on 2004-09-07
6
165 Views
Last Modified: 2010-04-22
Hello,

I am trying to configure my box to forward http requests from specific machines(ie 10.100.100.19) to another box running a webserver (ie10.100.100.25).

I am new to iptables but from what I have read, the following rules should work but I always get a timeout.  

Can anyone point out what I am doing wrong?

Thanks for help.

$ iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 10.100.100.19
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
0
Comment
Question by:joleger
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11996857
I would add the forward rules first and then I would suggest you put the rule POSTROUTING before the one PREROUTING.
It seems that you start routing your traffic to 10.100.100.25 before it has been allowed on the machine 10.100.100.19.
And put a logging rules so you can at least see something.

0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 150 total points
ID: 11996893
iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

this should clear it up so assume INTERNET= 10.100.100.19 and Local = 10.100.100.25
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 12000349
iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25:80
# assuming that you still have propper rules in FORWARD chain
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:joleger
ID: 12163805
Sorry for not getting back to this sooner. (was on vacation)

I still can't get it to work.  I have tried many variations of the comments above.

Goal: Have web requests coming from 10.100.100.19 destined to my box 10.100.100.2 redirected to 10.100.100.25

Here are the current rules I have added to 10.100.100.2

#  iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#  iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
#  iptables -A PREROUTING -t nat -p tcp  --dport 80 -j DNAT --to 10.100.100.25:

Tcpdump from 10.100.100.2:

16:50:49.628042 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628085 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628416 arp who-has 10.100.100.19 tell 10.100.100.25
16:50:52.588893 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:52.588910 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598427 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598444 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


Tcpdump from 10.100.100.25:
(I know the date is wrong)
13:54:46.422461 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422557 arp who-has 10.100.100.19 tell 10.100.100.25
13:54:46.422714 arp reply 10.100.100.19 is-at 0:10:a4:16:4a:57
13:54:46.422721 10.100.100.25.http > 10.100.100.19.1189: S 917277770:917277770(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422961 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:49.383291 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383319 10.100.100.25.http > 10.100.100.19.1189: S 920238570:920238570(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383541 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:55.392906 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.392926 10.100.100.25.http > 10.100.100.19.1189: S 926248180:926248180(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.393157 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0


Any more suggestions?  I have /proc/sys/net/ipv4/ip_forward set to 1.  
Do I have to set any rules on 10.100.100.25?  
Do I need a POSTROUTEING rule?

I need help.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168021
please post result of:
  iptables. -l -n -v -t nat && iptables. -l -n -v -t  mangle && iptables. -l -n -v
0
 

Author Comment

by:joleger
ID: 12595298
my system = 10.100.100.99

This worked for me.
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j SNAT --to 10.100.100.99


I have since changed it to be interface based as opposed to ip based
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -o eth0 --dport 80 -j SNAT --to 10.100.100.99

Thanks for all the replies
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now