Solved

http port forwarding from a specific maching?

Posted on 2004-09-07
6
174 Views
Last Modified: 2010-04-22
Hello,

I am trying to configure my box to forward http requests from specific machines(ie 10.100.100.19) to another box running a webserver (ie10.100.100.25).

I am new to iptables but from what I have read, the following rules should work but I always get a timeout.  

Can anyone point out what I am doing wrong?

Thanks for help.

$ iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 10.100.100.19
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
0
Comment
Question by:joleger
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11996857
I would add the forward rules first and then I would suggest you put the rule POSTROUTING before the one PREROUTING.
It seems that you start routing your traffic to 10.100.100.25 before it has been allowed on the machine 10.100.100.19.
And put a logging rules so you can at least see something.

0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 150 total points
ID: 11996893
iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

this should clear it up so assume INTERNET= 10.100.100.19 and Local = 10.100.100.25
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 12000349
iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25:80
# assuming that you still have propper rules in FORWARD chain
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:joleger
ID: 12163805
Sorry for not getting back to this sooner. (was on vacation)

I still can't get it to work.  I have tried many variations of the comments above.

Goal: Have web requests coming from 10.100.100.19 destined to my box 10.100.100.2 redirected to 10.100.100.25

Here are the current rules I have added to 10.100.100.2

#  iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#  iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
#  iptables -A PREROUTING -t nat -p tcp  --dport 80 -j DNAT --to 10.100.100.25:

Tcpdump from 10.100.100.2:

16:50:49.628042 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628085 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628416 arp who-has 10.100.100.19 tell 10.100.100.25
16:50:52.588893 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:52.588910 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598427 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598444 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


Tcpdump from 10.100.100.25:
(I know the date is wrong)
13:54:46.422461 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422557 arp who-has 10.100.100.19 tell 10.100.100.25
13:54:46.422714 arp reply 10.100.100.19 is-at 0:10:a4:16:4a:57
13:54:46.422721 10.100.100.25.http > 10.100.100.19.1189: S 917277770:917277770(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422961 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:49.383291 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383319 10.100.100.25.http > 10.100.100.19.1189: S 920238570:920238570(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383541 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:55.392906 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.392926 10.100.100.25.http > 10.100.100.19.1189: S 926248180:926248180(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.393157 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0


Any more suggestions?  I have /proc/sys/net/ipv4/ip_forward set to 1.  
Do I have to set any rules on 10.100.100.25?  
Do I need a POSTROUTEING rule?

I need help.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168021
please post result of:
  iptables. -l -n -v -t nat && iptables. -l -n -v -t  mangle && iptables. -l -n -v
0
 

Author Comment

by:joleger
ID: 12595298
my system = 10.100.100.99

This worked for me.
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j SNAT --to 10.100.100.99


I have since changed it to be interface based as opposed to ip based
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -o eth0 --dport 80 -j SNAT --to 10.100.100.99

Thanks for all the replies
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Fine Tune your automatic Updates for Ubuntu / Debian
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question