sivaatluri
asked on
IPTables
I have Apache running on port 81 (Server A) & I had configured rule to allow traffic on port 8089 [Server A] to forward traffic to port 80 [httpd running on Server B]
When the IPtables status is ON, It's not allowing any traffic to any of the ports.
But when I stop Iptables (service iptables stop) it's accepting incoming connections & forward rule is also working fine.
How to make these work even running iptables? & I have the below configuration in Iptables,
[root@ip-192-168-0-9 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:8089 to:192.168.1.125:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Also it would be helpful if someone can help me understand the below rules, like what happens , do we really need the second command for the 1'st one to be succesful.
When the IPtables status is ON, It's not allowing any traffic to any of the ports.
But when I stop Iptables (service iptables stop) it's accepting incoming connections & forward rule is also working fine.
How to make these work even running iptables? & I have the below configuration in Iptables,
[root@ip-192-168-0-9 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:8089 to:192.168.1.125:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Also it would be helpful if someone can help me understand the below rules, like what happens , do we really need the second command for the 1'st one to be succesful.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80
iptables -t nat -A POSTROUTING -j MASQUERADE
Please run this command and post results:
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; }
ip route list
I am rather surprised that forwarding appears to work when you turn off iptables.
I have to disagree with arnold's suggestion: the nat table does not have an INPUT chain according to man iptables.
Make sure that the FORWARD chain in the input table has policy ACCEPT. (The first command above will verify this).
To explain the rules you asked about:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80
We need to take action to ensure that packets sent in response end up being sent back to the originating entity. Rule 2 does some of that:
iptables -t nat -A POSTROUTING -j MASQUERADE]
But, and this could well be your problem, you do not want to apply that rule to your internet-facing interface, eth0. Otherwise packets will leave your system with a source address of 192.168.1.125, not what you want. So that rule should include -o eth1 (or whatever interface you use to get to 192.168.1.125).
Change that rule and see if it helps.
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; }
ip route list
I am rather surprised that forwarding appears to work when you turn off iptables.
I have to disagree with arnold's suggestion: the nat table does not have an INPUT chain according to man iptables.
Make sure that the FORWARD chain in the input table has policy ACCEPT. (The first command above will verify this).
To explain the rules you asked about:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80
1. iptables -t nat
Operate on the NAT (Network Address Translation) table2. -A PREROUTING
Add this rule to the PREROUTING chain (so it is actioned before the destination interface is decided)3. -i eth0
Act only on packets arriving on interface eth04. -p tcp
Act only on packets with IP protocol tcp5. --dport 8089
Act only on packets with destination port 80896. -j DNAT --to-destination 192.168.1.125:80
Jump to the built-in DNAT chain, which is to modify the destination of the packet to be address 192.168.1.125 and port 80In summary, this rule redirects incoming packets from the Internet (or whatever eth0 is) targeting port 8089 to be sent to the server running on 192.168.1.125 that is listening on port 80.We need to take action to ensure that packets sent in response end up being sent back to the originating entity. Rule 2 does some of that:
iptables -t nat -A POSTROUTING -j MASQUERADE]
1. iptables -t nat
Operate on the NAT (Network Address Translation) table2. -A POSTROUTING
Add this rule to the POSTROUTING chain (so it is actioned after the destination interface is decided)3. -j MASQUERADE
Jump to the built-in MASQUERADE chain (which make he output interface leave the source address of the packet as it was, rather than setting itto its own address)That means the server on 192.168.1.125 will see each packet coming from the originating internet address, which is what you want so the server will try to send replies back there.But, and this could well be your problem, you do not want to apply that rule to your internet-facing interface, eth0. Otherwise packets will leave your system with a source address of 192.168.1.125, not what you want. So that rule should include -o eth1 (or whatever interface you use to get to 192.168.1.125).
Change that rule and see if it helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry I had MASQUERADE round the wrong way: it alters packets leaving the interface to have their source address changed to that of the interface. So you want it on the internet-facing (eth0) interface and not eth1.
So change the second rule you asked about to
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
By the way, MASQUERADE is intended for interfaces with a dynamically acquired IP address. If eth0 has a fixed address, you should use SNAT. man iptables-extensions explains it this way:
So change the second rule you asked about to
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
By the way, MASQUERADE is intended for interfaces with a dynamically acquired IP address. If eth0 has a fixed address, you should use SNAT. man iptables-extensions explains it this way:
It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target. Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down. This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).If it still won't work for you, please post output from commands as I requested in http:#a40921358
once you stop iptables, no rules within it apply.
you are missing the input rule to allow port 8089 to enter.
iptables -t nat -A INPUT -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80
Not sure where your port 81 reference is comming from or where it applies.
You of course could setup apache on server A to function as a proxy as well.