?
Solved

iptables port forwarding issue

Posted on 2012-04-05
6
Medium Priority
?
471 Views
Last Modified: 2012-04-07
Hello,
   I am up to a task that already gave me enough headache , so for this aspect of my problem I'll ask for your help.

I have an Ubuntu router with two network interfaces, eth1 goes to internet and behind eth0 I have some NAT-ed clients.
10.1.1.1 is the IP address of eth0
10.1.1.2 is another linux machine
In certain cases, I do a port forward for internal clients towards 10.1.1.2:
iptables -A PREROUTING -t nat -p tcp --dport 80 -s 10.1.1.5 -j DNAT --to-destination 10.1.1.2:80
Once the client (10.1.1.5 in this example) hits the web page at 10.1.1.2, there is a PHP script there that deletes the iptables rule from main router, so basically that page on 10.1.1.2 only gets hit once by 10.1.1.5's browser.

The issue:
All works well with one exception: if the client (10.1.1.5) is already browsing a domain, let's say his browser already displayed the main page of http://www.ubuntu.com, and I THEN apply the port forwarding rule, well, then there are two cases:
1. If he decides to try some other domain, then the port forward will get him correctly to 10.1.1.2:80
2. but if he clicks on something on that particular page that is already displayed, let's say he goes to  www.ubuntu.com/download, then he gets a 404 instead of being redirected to 10.1.1.2:80

I suspect this has something to do with cached routes and once the domain is resolved, the browser just tries to access the page at www.ubuntu.com/download without requesting a new route from his gateway (10.1.1.1)

Any tips?
0
Comment
Question by:kronostm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 37815148
> ... then he gets a 404 instead of being redirected to 10.1.1.2:80
404 is on the HTTP layer, so where does this redirect come from and where points it to?
the browser cache is not the problem as this is HTTP too, while your iptables work on layer 1, 2
0
 
LVL 40

Expert Comment

by:noci
ID: 37815225
The kernel tracks active connections [ otherwise it can't handle NAT and the reverse ].
You may want to read up on connection tracking.
0
 
LVL 14

Author Comment

by:kronostm
ID: 37815318
I am sorry for the trouble, I figured it out in the end :)

since the redirect is done by iptables at layer 1,2 as ahoffmann said, well ... then the browser thinks that he is on ubuntu.com and displays it in the bar, yet the 404 actually comes from my 10.1.1.2 machine not from ubuntu.com, and 10.1.1.2/download does not exists, that's why I'm getting a 404

a little .htaccess tweak solved the problem
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 40

Expert Comment

by:noci
ID: 37815539
So actualy ahoffman triggered [ started solving your query ]... and deserves some points.
Actualy deletion is not the way, point to you answer as the solution and ask for a hoffman to get at least part of the points...
0
 
LVL 14

Author Closing Comment

by:kronostm
ID: 37815560
done, yet I couldn't accept multiple due to pending delete request, so I accepted ahoffmann's solution.

thank you
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37819240
thanks to all :)
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question