Solved

http port forwarding from a specific maching?

Posted on 2004-09-07
6
177 Views
Last Modified: 2010-04-22
Hello,

I am trying to configure my box to forward http requests from specific machines(ie 10.100.100.19) to another box running a webserver (ie10.100.100.25).

I am new to iptables but from what I have read, the following rules should work but I always get a timeout.  

Can anyone point out what I am doing wrong?

Thanks for help.

$ iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 10.100.100.19
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
0
Comment
Question by:joleger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11996857
I would add the forward rules first and then I would suggest you put the rule POSTROUTING before the one PREROUTING.
It seems that you start routing your traffic to 10.100.100.25 before it has been allowed on the machine 10.100.100.19.
And put a logging rules so you can at least see something.

0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 150 total points
ID: 11996893
iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

this should clear it up so assume INTERNET= 10.100.100.19 and Local = 10.100.100.25
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 350 total points
ID: 12000349
iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25:80
# assuming that you still have propper rules in FORWARD chain
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:joleger
ID: 12163805
Sorry for not getting back to this sooner. (was on vacation)

I still can't get it to work.  I have tried many variations of the comments above.

Goal: Have web requests coming from 10.100.100.19 destined to my box 10.100.100.2 redirected to 10.100.100.25

Here are the current rules I have added to 10.100.100.2

#  iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#  iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
#  iptables -A PREROUTING -t nat -p tcp  --dport 80 -j DNAT --to 10.100.100.25:

Tcpdump from 10.100.100.2:

16:50:49.628042 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628085 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628416 arp who-has 10.100.100.19 tell 10.100.100.25
16:50:52.588893 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:52.588910 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598427 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598444 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


Tcpdump from 10.100.100.25:
(I know the date is wrong)
13:54:46.422461 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422557 arp who-has 10.100.100.19 tell 10.100.100.25
13:54:46.422714 arp reply 10.100.100.19 is-at 0:10:a4:16:4a:57
13:54:46.422721 10.100.100.25.http > 10.100.100.19.1189: S 917277770:917277770(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422961 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:49.383291 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383319 10.100.100.25.http > 10.100.100.19.1189: S 920238570:920238570(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383541 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:55.392906 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.392926 10.100.100.25.http > 10.100.100.19.1189: S 926248180:926248180(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.393157 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0


Any more suggestions?  I have /proc/sys/net/ipv4/ip_forward set to 1.  
Do I have to set any rules on 10.100.100.25?  
Do I need a POSTROUTEING rule?

I need help.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168021
please post result of:
  iptables. -l -n -v -t nat && iptables. -l -n -v -t  mangle && iptables. -l -n -v
0
 

Author Comment

by:joleger
ID: 12595298
my system = 10.100.100.99

This worked for me.
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j SNAT --to 10.100.100.99


I have since changed it to be interface based as opposed to ip based
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -o eth0 --dport 80 -j SNAT --to 10.100.100.99

Thanks for all the replies
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
website file permissions 4 84
ebtables ttl & packetsize block 4 264
discontinue use of the VeriSign G2 Root Certificate 9 88
SFTP restrict upload file only 2 61
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question