Find the answer to your Linux question:
Results 1 to 2 of 2
I have a Fedora Core 6 server with 3 NICs installed as follows eth0 - Network = 192.168.1.0/24 IP=192.168.1.155 eth1 - Network = 172.31.10.0/26 IP=172.31.10.20 eth2 - Network = 172.31.10.128/26 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    2

    iptables http forwarding


    I have a Fedora Core 6 server with 3 NICs installed as follows

    eth0 - Network = 192.168.1.0/24 IP=192.168.1.155
    eth1 - Network = 172.31.10.0/26 IP=172.31.10.20
    eth2 - Network = 172.31.10.128/26 IP=172.31.10.150

    I need requests from the clients on the 192.168.1.0/24 network to access the web server at 172.31.10.136 by using the url http : // 192.168.1.155

    So far I have iptables configured to allow http requests to be forwarded to the web server but they are not routing back and I appear to have been going round in circles so need some help/advice.

    my iptables file is very basic and is as follows:

    Code:
    # Generated by iptables-save v1.3.5 on Mon Apr 21 16:51:24 2008
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -i eth2 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A FORWARD -i eth0 -o eth2 -p tcp --dport 80 -j ACCEPT
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :dmz - [0:0]
    -A PREROUTING -i eth0 -j dmz
    -A PREROUTING -d 192.168.1.155 -j dmz
    -A OUTPUT -d 192.168.1.155 -j dmz
    -A dmz -p tcp --dport 80 -j DNAT --to-destination 172.31.10.136:80
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -s 172.31.10.128/26 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.155
    COMMIT
    using tcpdump on the interface eth2 data can be seen passing through the interface to the web server:

    Code:
    # tcpdump -i 3 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
    19:41:22.535251 IP <SERVER_FQDN>.beacon-port-2 > 172.31.10.136.http: S 102350687:102350687(0)
    win 65535 <mss 1460,nop,nop,sackOK>
    However it is not being routed back, as indicated in /proc/net/ip_conntrack

    Code:
    tcp      6 111 SYN_SENT src=192.168.1.112 dst=192.168.1.155 sport=4405 dport=80 packets=1 
    bytes=48 [UNREPLIED] src=172.31.10.136 dst=192.168.1.112 sport=80 dport=4405 packets=0 bytes=0 
    mark=0 secmark=0 use=1
    Any clues/solutions to this problem most welcome
    Happy to supply further info if needed.
    Thanks.

  2. #2
    Just Joined!
    Join Date
    Apr 2008
    Posts
    2
    Resolved - the postrouting masquerade needs to be on eth2 not eth0

    Amend the POSTROUTING line as follows

    Code:
    -A POSTROUTING -o eth2 -j MASQUERADE

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •