iptables ports forwarding on eth0:1

[foundouck]

hi,

I've access to an external device web page on 127.0.0.1:10080 (this is done by a tunnel from this device and my computer using ssh) and it's rightly working .

I've create a virtual interface eth0:1 by configuring the /etc/network/interfaces file.( address: 192.168.1.3 )

I would like to access to the web page by using the 192.168.1.3:80 address.
This the script i've made:

Code:

#!/bin/sh
# clear routes
iptables -t nat -F
# nat configuration
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j MASQUERADE 
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.3 -p tcp --dport 80 -j DNAT --to 127.0.0.1:10080

But it's not working , is somebody can help me?
Thanks.

[Lazydog]

OK, your interface is not eth0 but eth0:1.

[foundouck]

OK, your interface is not eth0 but eth0:1.

I cannot directly write -o eth0:1 in the iptables command, there is a warning:

Warning: weird character in interface 'eth0:1' (No alias, ! or *).

Therefore i use -o eth0 and -s IP_OF_ETH0:1
But it still not works...

Thanks for reply.

[Lazydog]

Code:

#!/bin/sh
# clear routes
iptables -t nat -F
# nat configuration
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j MASQUERADE 
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.3 -p tcp --dport 80 -j DNAT --to 127.0.0.1:10080

OK, you should be using REDIRECT instead of DNAT.
REDIRECT is used for packet that stay on the system.
DNAT is used for packets that are passing though the system.

Code:

REDIRECT target

The REDIRECT target is used to redirect packets and streams to the 
machine itself. This means that we could for example REDIRECT all packets 
destined for the HTTP ports to an HTTP proxy like squid, on our own host. 
Locally generated packets are mapped to the 127.0.0.1 address. In other 
words, this rewrites the destination address to our own host for packets 
that are forwarded, or something alike. The REDIRECT target is extremely 
good to use when we want, for example, transparent proxying, where the 
LAN hosts do not know about the proxy at all.     

    Note that the REDIRECT target is only valid within the PREROUTING and 
OUTPUT chains of the nat table. It is also valid within user-defined chains 
that are only called from those chains, and nowhere else. The REDIRECT 
target takes only one option, as described below.

Code:

DNAT target

    The DNAT target is used to do Destination Network Address Translation, 
which means that it is used to rewrite the Destination IP address of a 
packet. If a packet is matched, and this is the target of the rule, the 
packet, and all subsequent packets in the same stream will be translated, 
and then routed on to the correct device, host or network. This target can 
be extremely useful, for example,when you have a host running your web 
server inside a LAN, but no real IP to give it that will work on the Internet. 
You could then tell the firewall to forward all packets going to its own HTTP 
port, on to the real web server within the LAN. We may also specify a 
whole range of destination IP addresses, and the DNAT mechanism will 
choose the destination IP address at random for each stream. Hence, we 
will be able to deal with a kind of load balancing by doing this.     

    Note that the DNAT target is only available within the PREROUTING and 
OUTPUT chains in the nat table, and any of the chains called upon from any 
of those listed chains. Note that chains containing DNAT targets may not 
be used from any other chains, such as  the POSTROUTING chain.

More information can be found at http://iptables-tutorial.frozentux.n...-tutorial.html

[foundouck]

Thank you so much Mr Lazydog
It works with that code:

Code:

#!/bin/sh
# clear routes
iptables -t nat -F
# nat configuration
iptables -t nat -A OUTPUT  -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 10080
iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 10080

I hope my thread will help somebody else...
sincerely.

[Lazydog]

Glad I could help.