Solved

iptables port forwarding issue

Posted on 2012-04-05
6
462 Views
Last Modified: 2012-04-07
Hello,
   I am up to a task that already gave me enough headache , so for this aspect of my problem I'll ask for your help.

I have an Ubuntu router with two network interfaces, eth1 goes to internet and behind eth0 I have some NAT-ed clients.
10.1.1.1 is the IP address of eth0
10.1.1.2 is another linux machine
In certain cases, I do a port forward for internal clients towards 10.1.1.2:
iptables -A PREROUTING -t nat -p tcp --dport 80 -s 10.1.1.5 -j DNAT --to-destination 10.1.1.2:80
Once the client (10.1.1.5 in this example) hits the web page at 10.1.1.2, there is a PHP script there that deletes the iptables rule from main router, so basically that page on 10.1.1.2 only gets hit once by 10.1.1.5's browser.

The issue:
All works well with one exception: if the client (10.1.1.5) is already browsing a domain, let's say his browser already displayed the main page of http://www.ubuntu.com, and I THEN apply the port forwarding rule, well, then there are two cases:
1. If he decides to try some other domain, then the port forward will get him correctly to 10.1.1.2:80
2. but if he clicks on something on that particular page that is already displayed, let's say he goes to  www.ubuntu.com/download, then he gets a 404 instead of being redirected to 10.1.1.2:80

I suspect this has something to do with cached routes and once the domain is resolved, the browser just tries to access the page at www.ubuntu.com/download without requesting a new route from his gateway (10.1.1.1)

Any tips?
0
Comment
Question by:kronostm
  • 2
  • 2
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 37815148
> ... then he gets a 404 instead of being redirected to 10.1.1.2:80
404 is on the HTTP layer, so where does this redirect come from and where points it to?
the browser cache is not the problem as this is HTTP too, while your iptables work on layer 1, 2
0
 
LVL 40

Expert Comment

by:noci
ID: 37815225
The kernel tracks active connections [ otherwise it can't handle NAT and the reverse ].
You may want to read up on connection tracking.
0
 
LVL 14

Author Comment

by:kronostm
ID: 37815318
I am sorry for the trouble, I figured it out in the end :)

since the redirect is done by iptables at layer 1,2 as ahoffmann said, well ... then the browser thinks that he is on ubuntu.com and displays it in the bar, yet the 404 actually comes from my 10.1.1.2 machine not from ubuntu.com, and 10.1.1.2/download does not exists, that's why I'm getting a 404

a little .htaccess tweak solved the problem
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 40

Expert Comment

by:noci
ID: 37815539
So actualy ahoffman triggered [ started solving your query ]... and deserves some points.
Actualy deletion is not the way, point to you answer as the solution and ask for a hoffman to get at least part of the points...
0
 
LVL 14

Author Closing Comment

by:kronostm
ID: 37815560
done, yet I couldn't accept multiple due to pending delete request, so I accepted ahoffmann's solution.

thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37819240
thanks to all :)
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question