?
Solved

http port forwarding from a specific maching?

Posted on 2004-09-07
6
Medium Priority
?
179 Views
Last Modified: 2010-04-22
Hello,

I am trying to configure my box to forward http requests from specific machines(ie 10.100.100.19) to another box running a webserver (ie10.100.100.25).

I am new to iptables but from what I have read, the following rules should work but I always get a timeout.  

Can anyone point out what I am doing wrong?

Thanks for help.

$ iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp --sport 80 -j SNAT --to 10.100.100.19
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
0
Comment
Question by:joleger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Expert Comment

by:bloemkool1980
ID: 11996857
I would add the forward rules first and then I would suggest you put the rule POSTROUTING before the one PREROUTING.
It seems that you start routing your traffic to 10.100.100.25 before it has been allowed on the machine 10.100.100.19.
And put a logging rules so you can at least see something.

0
 
LVL 6

Assisted Solution

by:bloemkool1980
bloemkool1980 earned 600 total points
ID: 11996893
iptables -A FORWARD -s 0.0.0.0/0 -d $IP_INTERNET -p tcp \
--destination-port 80 -j ACCEPT

iptables -t nat -A PREROUTING -d $IP_INTERNET -j DNAT \
--to-destination <local-ip-address>

iptables -t nat -A POSTROUTING -o $IFACE_INTERNET \
-s <local-ip-address> -j SNAT --to-source $IP_INTERNET

this should clear it up so assume INTERNET= 10.100.100.19 and Local = 10.100.100.25
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1400 total points
ID: 12000349
iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25:80
# assuming that you still have propper rules in FORWARD chain
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:joleger
ID: 12163805
Sorry for not getting back to this sooner. (was on vacation)

I still can't get it to work.  I have tried many variations of the comments above.

Goal: Have web requests coming from 10.100.100.19 destined to my box 10.100.100.2 redirected to 10.100.100.25

Here are the current rules I have added to 10.100.100.2

#  iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
#  iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
#  iptables -A PREROUTING -t nat -p tcp  --dport 80 -j DNAT --to 10.100.100.25:

Tcpdump from 10.100.100.2:

16:50:49.628042 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628085 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:49.628416 arp who-has 10.100.100.19 tell 10.100.100.25
16:50:52.588893 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:52.588910 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598427 10.100.100.19.1189 > 10.100.100.2.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
16:50:58.598444 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


Tcpdump from 10.100.100.25:
(I know the date is wrong)
13:54:46.422461 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422557 arp who-has 10.100.100.19 tell 10.100.100.25
13:54:46.422714 arp reply 10.100.100.19 is-at 0:10:a4:16:4a:57
13:54:46.422721 10.100.100.25.http > 10.100.100.19.1189: S 917277770:917277770(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:46.422961 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:49.383291 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383319 10.100.100.25.http > 10.100.100.19.1189: S 920238570:920238570(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:49.383541 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0
13:54:55.392906 10.100.100.19.1189 > 10.100.100.25.http: S 2144028663:2144028663(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.392926 10.100.100.25.http > 10.100.100.19.1189: S 926248180:926248180(0) ack 2144028664 win 5840 <mss 1460,nop,nop,sackOK> (DF)
13:54:55.393157 10.100.100.19.1189 > 10.100.100.25.http: R 2144028664:2144028664(0) win 0


Any more suggestions?  I have /proc/sys/net/ipv4/ip_forward set to 1.  
Do I have to set any rules on 10.100.100.25?  
Do I need a POSTROUTEING rule?

I need help.


0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12168021
please post result of:
  iptables. -l -n -v -t nat && iptables. -l -n -v -t  mangle && iptables. -l -n -v
0
 

Author Comment

by:joleger
ID: 12595298
my system = 10.100.100.99

This worked for me.
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -s 10.100.100.19 --dport 80 -j SNAT --to 10.100.100.99


I have since changed it to be interface based as opposed to ip based
$ iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
$ iptables -A FORWARD -p tcp --sport 80 -j ACCEPT
$ iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 10.100.100.25
$ iptables -A POSTROUTING -t nat -p tcp -o eth0 --dport 80 -j SNAT --to 10.100.100.99

Thanks for all the replies
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Fine Tune your automatic Updates for Ubuntu / Debian
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question