IPTables

I have Apache running on port 81 (Server A) & I had configured rule to allow traffic on port 8089 [Server A] to forward traffic to port 80 [httpd running on Server B]

When the IPtables status is ON, It's not allowing any traffic to any of the ports.

But when I stop Iptables (service iptables stop) it's accepting incoming connections & forward rule is also working fine.

How to make these work even running iptables?  &  I have the below configuration in Iptables,

[root@ip-192-168-0-9 ~]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:8089 to:192.168.1.125:80

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere


Also it would be helpful if someone can help me understand the below rules, like what happens , do we really need the second command for the 1'st one to be succesful.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80
iptables -t nat  -A POSTROUTING -j MASQUERADE
sivaatluriAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
What is it you want to achieve.
once you stop iptables, no rules within it apply.

you are missing the input rule to allow port 8089  to enter.
iptables -t nat -A INPUT -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80

Not sure where your port 81 reference is comming from or where it applies.

You of course could setup apache on server A to function as a proxy as well.
Duncan RoeSoftware DeveloperCommented:
Please run this command and post results:
{ set -x;for i in filter nat mangle raw;do iptables -t $i -n -v --line-numbers -L;done;set +x; }
ip route list
I am rather surprised that forwarding appears to work when you turn off iptables.
I have to disagree with arnold's suggestion: the nat table does not have an INPUT chain according to man iptables.
Make sure that the FORWARD chain in the input table has policy ACCEPT. (The first command above will verify this).
To explain the rules you asked about:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80

1. iptables -t nat

Operate on the NAT (Network Address Translation) table

2. -A PREROUTING

Add this rule to the PREROUTING chain (so it is actioned before the destination interface is decided)

3. -i eth0

Act only on packets arriving on interface eth0

4. -p tcp

Act only on packets with IP protocol tcp

5. --dport 8089

Act only on packets with destination port 8089

6. -j DNAT --to-destination 192.168.1.125:80

Jump to the built-in DNAT chain, which is to modify the destination of the packet to be address 192.168.1.125 and port 80In summary, this rule redirects incoming packets from the Internet (or whatever eth0 is) targeting port 8089 to be sent to the server running on 192.168.1.125 that is listening on port 80.
We need to take action to ensure that packets sent in response end up being sent back to the originating entity. Rule 2 does some of that:
iptables -t nat  -A POSTROUTING -j MASQUERADE]

1. iptables -t nat

Operate on the NAT (Network Address Translation) table

2. -A POSTROUTING

Add this rule to the POSTROUTING chain (so it is actioned after the destination interface is decided)

3. -j MASQUERADE

Jump to the built-in MASQUERADE chain (which make he output interface leave the source address of the packet as it was, rather than setting itto its own address)That means the server on 192.168.1.125 will see each packet coming from the originating internet address, which is what you want so the server will try to send replies back there.
But, and this could well be your problem, you do not want to apply that rule to your internet-facing interface, eth0. Otherwise packets will leave your system with a source address of 192.168.1.125, not what you want. So that rule should include -o eth1 (or whatever interface you use to get to 192.168.1.125).

Change that rule and see if it helps.
arnoldCommented:
My typo, the INPUT is on the FILTER side.
I.e. before you can preroute, the packet has to be allowed into the iptable structure


iptables -t filter -A INPUT -i eth0 -p tcp --dport 8089 -j DNAT --to-destination 192.168.1.125:80

The strange thing you reference port 81 but no where in your example is port 81 mentioned in any of the rules you posted.

It is simpler to manage by using ipchains.

i.e. create a FW_incoming chain and add it to the INPUT and PREROUTING tables.
This way you will only need to add a rule once to the chain and it will apply to both
If you need outgoing, a FW_outgoing to the POSTROUTING

In your case it seems that you are setting up rules on the system rather than a device that functions as a router.
though the diversion for request to A to be forwarded to B complicates the environment unnecessarily.

in a case where you want server A to function as a proxy might be a more straight forward setup to configure the Apache service on server A to proxy certain requests to server B such that all external requests come to server A and it goes out when necessary to get data from server B and present it. Simply redirecting packets as you have, would inevitably lead to a situation where that portion of the config is forgotten, missed and ............. running around trying to determine what and where the issue is caused.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Duncan RoeSoftware DeveloperCommented:
Sorry I had MASQUERADE round the wrong way: it alters packets leaving the interface to have their source address changed to that of the interface. So you want it on the internet-facing (eth0) interface and not eth1.
So change the second rule you asked about to
iptables -t nat  -A POSTROUTING -o eth0 -j MASQUERADE
By the way, MASQUERADE is intended for interfaces with a dynamically acquired IP address. If eth0 has a fixed address, you should use SNAT. man iptables-extensions explains it this way:
It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target.  Masquerading is equivalent to specifying a mapping to the IP address of the interface the packet is going out, but also has the effect that connections are forgotten when the interface goes down.  This is the correct behavior when the next dialup is unlikely to have the same interface address (and hence any established connections are lost anyway).
If it still won't work for you, please post output from commands as I requested in http:#a40921358
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.