INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

HANDLE


PASSWORD
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
E-mail*
Handle

Password
Verify P'word
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Member Feedback

"...Congratulations on a brilliant idea and a great site..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!
Home > Forums > MIS/IT > Operating Systems - UNIX based > Linux (server) Forum

 iptable PREROUTING questions

thread54-1416722
stfaprc (Programmer)
11 Oct 07 18:14
Running RH FC4.
I want to redirect requests to local port 8080 to another server's port 80 (which is working). I tried:
 echo 1 > /proc/sys/net/ipv4/ip_forward

 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.1.53:80

 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options

-----
when i try accessing 8080 with a browser, nothing seems to happen and eventually the browser times out.
The only lines showing in messages log on the server is:
Oct 11 15:01:02 ls2 kernel: Removing netfilter NETLINK layer.
Oct 11 15:01:03 ls2 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Oct 11 15:01:03 ls2 kernel: Netfilter messages via NETLINK v0.30.
Oct 11 15:01:03 ls2 kernel: ip_conntrack version 2.4 (1920 buckets, 15360 max) - 224 bytes per conntrack
-----
Questions: what is the proper syntax for redirecting to the other server?

 I may not know the interface number at all times - How can I get iptable to listen for a specific local ipaddress ?

 How can I have the log entries go to a file other than the "messages" log file?

Thanks.
Helpful Member!zeland (IS/IT--Management)
11 Oct 07 19:38
Your PREROUTING syntax seem a bit vague. It should be more like:

CODE

iptables -A PREROUTING -t nat -i EXT_IF -p tcp -d EXT_IP --dport   80 -j DNAT --to-destination 192.168.1.53:80
EXT_IF = Incoming interface
EXT_IP = Router IP

Once we have changed the information for the incoming packet, we need to allow it through

CODE

iptables -A FORWARD -i EXT_IF -p tcp -d 192.168.1.53 --dport 80 -j ACCEPT

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
stfaprc (Programmer)
12 Oct 07 13:03
Can I use an ip address instead of "-i EXT_IF" ?

So to do this redirection I need to have 3 iptable commands:
 PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.1.53:80

 PREROUTING -p tcp --dport 8080 -j LOG --log-prefix                  "PREROUTING: " --log-tcp-options --log-ip-options

 FORWARD -p tcp -d 192.168.1.53 --dport 80 -j ACCEPT
?
Helpful Member!zeland (IS/IT--Management)
12 Oct 07 19:57

Quote:


Can I use an ip address instead of "-i EXT_IF" ?
No, -i must be an interface name, i.e. eth0, eth1.

Quote:


So to do this redirection I need to have 3 iptable commands
Technically you only need 2. I'm not sure you can have logging at the PRE/POSTROUTING sections. You could however log it at the FORWARD section.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
stfaprc (Programmer)
14 Oct 07 17:49
hmm, than it seems that I am going about this the wrong way.

Situation:
we are using simpleproxy to redirect ports on specific ip address to another pc
(ie: simpleproxy -L 10.10.10.11:80 -R 192.168.1.58:80 -d)

It works fine, except that the target server sees the requests as coming from 10.10.10.11 and putting that in the web logs, whereas we want to see the real originating address
(ie: 255.001.001.257) in the web logs of the target server.
Helpful Member!zeland (IS/IT--Management)
14 Oct 07 20:35

Quote:


...we want to see the real originating address
That is not possible. By nature of their design, proxies (as opposed to routers) don't forward the original connection request but instead initiates a separate connection to the destination, retrieving related information and storing it in its cache, hence the name proxy.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

Start A New Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Promoting, selling, recruiting and student posting
are not allowed in the forums.
Posting Policies
LINK TO THIS FORUM!
(Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum)
TITLE: Linux (server) Forum at Tek-Tips
URL: http://www.tek-tips.com/threadminder.cfm?pid=54
DESCRIPTION: Linux (server) technical support forum and mutual help system for computer professionals. Selling and recruiting forbidden.

 

Back To Forum

Back To Linux (server)