[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

iptables port forwarding issue

Posted on 2012-04-05
6
Medium Priority
?
474 Views
Last Modified: 2012-04-07
Hello,
   I am up to a task that already gave me enough headache , so for this aspect of my problem I'll ask for your help.

I have an Ubuntu router with two network interfaces, eth1 goes to internet and behind eth0 I have some NAT-ed clients.
10.1.1.1 is the IP address of eth0
10.1.1.2 is another linux machine
In certain cases, I do a port forward for internal clients towards 10.1.1.2:
iptables -A PREROUTING -t nat -p tcp --dport 80 -s 10.1.1.5 -j DNAT --to-destination 10.1.1.2:80
Once the client (10.1.1.5 in this example) hits the web page at 10.1.1.2, there is a PHP script there that deletes the iptables rule from main router, so basically that page on 10.1.1.2 only gets hit once by 10.1.1.5's browser.

The issue:
All works well with one exception: if the client (10.1.1.5) is already browsing a domain, let's say his browser already displayed the main page of http://www.ubuntu.com, and I THEN apply the port forwarding rule, well, then there are two cases:
1. If he decides to try some other domain, then the port forward will get him correctly to 10.1.1.2:80
2. but if he clicks on something on that particular page that is already displayed, let's say he goes to  www.ubuntu.com/download, then he gets a 404 instead of being redirected to 10.1.1.2:80

I suspect this has something to do with cached routes and once the domain is resolved, the browser just tries to access the page at www.ubuntu.com/download without requesting a new route from his gateway (10.1.1.1)

Any tips?
0
Comment
Question by:kronostm
  • 2
  • 2
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 37815148
> ... then he gets a 404 instead of being redirected to 10.1.1.2:80
404 is on the HTTP layer, so where does this redirect come from and where points it to?
the browser cache is not the problem as this is HTTP too, while your iptables work on layer 1, 2
0
 
LVL 41

Expert Comment

by:noci
ID: 37815225
The kernel tracks active connections [ otherwise it can't handle NAT and the reverse ].
You may want to read up on connection tracking.
0
 
LVL 14

Author Comment

by:kronostm
ID: 37815318
I am sorry for the trouble, I figured it out in the end :)

since the redirect is done by iptables at layer 1,2 as ahoffmann said, well ... then the browser thinks that he is on ubuntu.com and displays it in the bar, yet the 404 actually comes from my 10.1.1.2 machine not from ubuntu.com, and 10.1.1.2/download does not exists, that's why I'm getting a 404

a little .htaccess tweak solved the problem
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
LVL 41

Expert Comment

by:noci
ID: 37815539
So actualy ahoffman triggered [ started solving your query ]... and deserves some points.
Actualy deletion is not the way, point to you answer as the solution and ask for a hoffman to get at least part of the points...
0
 
LVL 14

Author Closing Comment

by:kronostm
ID: 37815560
done, yet I couldn't accept multiple due to pending delete request, so I accepted ahoffmann's solution.

thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37819240
thanks to all :)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question