iptables port forwarding issue

Hello,
   I am up to a task that already gave me enough headache , so for this aspect of my problem I'll ask for your help.

I have an Ubuntu router with two network interfaces, eth1 goes to internet and behind eth0 I have some NAT-ed clients.
10.1.1.1 is the IP address of eth0
10.1.1.2 is another linux machine
In certain cases, I do a port forward for internal clients towards 10.1.1.2:
iptables -A PREROUTING -t nat -p tcp --dport 80 -s 10.1.1.5 -j DNAT --to-destination 10.1.1.2:80
Once the client (10.1.1.5 in this example) hits the web page at 10.1.1.2, there is a PHP script there that deletes the iptables rule from main router, so basically that page on 10.1.1.2 only gets hit once by 10.1.1.5's browser.

The issue:
All works well with one exception: if the client (10.1.1.5) is already browsing a domain, let's say his browser already displayed the main page of http://www.ubuntu.com, and I THEN apply the port forwarding rule, well, then there are two cases:
1. If he decides to try some other domain, then the port forward will get him correctly to 10.1.1.2:80
2. but if he clicks on something on that particular page that is already displayed, let's say he goes to  www.ubuntu.com/download, then he gets a 404 instead of being redirected to 10.1.1.2:80

I suspect this has something to do with cached routes and once the domain is resolved, the browser just tries to access the page at www.ubuntu.com/download without requesting a new route from his gateway (10.1.1.1)

Any tips?
LVL 14
Adrian DobrotaNetworking EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
> ... then he gets a 404 instead of being redirected to 10.1.1.2:80
404 is on the HTTP layer, so where does this redirect come from and where points it to?
the browser cache is not the problem as this is HTTP too, while your iptables work on layer 1, 2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
The kernel tracks active connections [ otherwise it can't handle NAT and the reverse ].
You may want to read up on connection tracking.
0
Adrian DobrotaNetworking EngineerAuthor Commented:
I am sorry for the trouble, I figured it out in the end :)

since the redirect is done by iptables at layer 1,2 as ahoffmann said, well ... then the browser thinks that he is on ubuntu.com and displays it in the bar, yet the 404 actually comes from my 10.1.1.2 machine not from ubuntu.com, and 10.1.1.2/download does not exists, that's why I'm getting a 404

a little .htaccess tweak solved the problem
0
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

nociSoftware EngineerCommented:
So actualy ahoffman triggered [ started solving your query ]... and deserves some points.
Actualy deletion is not the way, point to you answer as the solution and ask for a hoffman to get at least part of the points...
0
Adrian DobrotaNetworking EngineerAuthor Commented:
done, yet I couldn't accept multiple due to pending delete request, so I accepted ahoffmann's solution.

thank you
0
ahoffmannCommented:
thanks to all :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.