Solved

iptables port forwarding issue

Posted on 2012-04-05
6
456 Views
Last Modified: 2012-04-07
Hello,
   I am up to a task that already gave me enough headache , so for this aspect of my problem I'll ask for your help.

I have an Ubuntu router with two network interfaces, eth1 goes to internet and behind eth0 I have some NAT-ed clients.
10.1.1.1 is the IP address of eth0
10.1.1.2 is another linux machine
In certain cases, I do a port forward for internal clients towards 10.1.1.2:
iptables -A PREROUTING -t nat -p tcp --dport 80 -s 10.1.1.5 -j DNAT --to-destination 10.1.1.2:80
Once the client (10.1.1.5 in this example) hits the web page at 10.1.1.2, there is a PHP script there that deletes the iptables rule from main router, so basically that page on 10.1.1.2 only gets hit once by 10.1.1.5's browser.

The issue:
All works well with one exception: if the client (10.1.1.5) is already browsing a domain, let's say his browser already displayed the main page of http://www.ubuntu.com, and I THEN apply the port forwarding rule, well, then there are two cases:
1. If he decides to try some other domain, then the port forward will get him correctly to 10.1.1.2:80
2. but if he clicks on something on that particular page that is already displayed, let's say he goes to  www.ubuntu.com/download, then he gets a 404 instead of being redirected to 10.1.1.2:80

I suspect this has something to do with cached routes and once the domain is resolved, the browser just tries to access the page at www.ubuntu.com/download without requesting a new route from his gateway (10.1.1.1)

Any tips?
0
Comment
Question by:kronostm
  • 2
  • 2
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 37815148
> ... then he gets a 404 instead of being redirected to 10.1.1.2:80
404 is on the HTTP layer, so where does this redirect come from and where points it to?
the browser cache is not the problem as this is HTTP too, while your iptables work on layer 1, 2
0
 
LVL 39

Expert Comment

by:noci
ID: 37815225
The kernel tracks active connections [ otherwise it can't handle NAT and the reverse ].
You may want to read up on connection tracking.
0
 
LVL 14

Author Comment

by:kronostm
ID: 37815318
I am sorry for the trouble, I figured it out in the end :)

since the redirect is done by iptables at layer 1,2 as ahoffmann said, well ... then the browser thinks that he is on ubuntu.com and displays it in the bar, yet the 404 actually comes from my 10.1.1.2 machine not from ubuntu.com, and 10.1.1.2/download does not exists, that's why I'm getting a 404

a little .htaccess tweak solved the problem
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 39

Expert Comment

by:noci
ID: 37815539
So actualy ahoffman triggered [ started solving your query ]... and deserves some points.
Actualy deletion is not the way, point to you answer as the solution and ask for a hoffman to get at least part of the points...
0
 
LVL 14

Author Closing Comment

by:kronostm
ID: 37815560
done, yet I couldn't accept multiple due to pending delete request, so I accepted ahoffmann's solution.

thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37819240
thanks to all :)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now