Find the answer to your Linux question:
Results 1 to 6 of 6
hi, I've access to an external device web page on 127.0.0.1:10080 (this is done by a tunnel from this device and my computer using ssh) and it's rightly working . ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2008
    Posts
    5

    iptables ports forwarding on eth0:1


    hi,

    I've access to an external device web page on 127.0.0.1:10080 (this is done by a tunnel from this device and my computer using ssh) and it's rightly working .

    I've create a virtual interface eth0:1 by configuring the /etc/network/interfaces file.( address: 192.168.1.3 )

    I would like to access to the web page by using the 192.168.1.3:80 address.
    This the script i've made:
    Code:
    #!/bin/sh
    # clear routes
    iptables -t nat -F
    # nat configuration
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j MASQUERADE 
    iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.3 -p tcp --dport 80 -j DNAT --to 127.0.0.1:10080
    But it's not working , is somebody can help me?
    Thanks.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    OK, your interface is not eth0 but eth0:1.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jul 2008
    Posts
    5
    Quote Originally Posted by Lazydog View Post
    OK, your interface is not eth0 but eth0:1.
    I cannot directly write -o eth0:1 in the iptables command, there is a warning:
    Warning: weird character in interface 'eth0:1' (No alias, ! or *).
    Therefore i use -o eth0 and -s IP_OF_ETH0:1
    But it still not works...

    Thanks for reply.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Quote Originally Posted by foundouck View Post
    Code:
    #!/bin/sh
    # clear routes
    iptables -t nat -F
    # nat configuration
    iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.3 -j MASQUERADE 
    iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.3 -p tcp --dport 80 -j DNAT --to 127.0.0.1:10080
    OK, you should be using REDIRECT instead of DNAT.
    REDIRECT is used for packet that stay on the system.
    DNAT is used for packets that are passing though the system.

    Code:
    REDIRECT target
    
    The REDIRECT target is used to redirect packets and streams to the 
    machine itself. This means that we could for example REDIRECT all packets 
    destined for the HTTP ports to an HTTP proxy like squid, on our own host. 
    Locally generated packets are mapped to the 127.0.0.1 address. In other 
    words, this rewrites the destination address to our own host for packets 
    that are forwarded, or something alike. The REDIRECT target is extremely 
    good to use when we want, for example, transparent proxying, where the 
    LAN hosts do not know about the proxy at all.     
    
        Note that the REDIRECT target is only valid within the PREROUTING and 
    OUTPUT chains of the nat table. It is also valid within user-defined chains 
    that are only called from those chains, and nowhere else. The REDIRECT 
    target takes only one option, as described below.
    Code:
    DNAT target
    
        The DNAT target is used to do Destination Network Address Translation, 
    which means that it is used to rewrite the Destination IP address of a 
    packet. If a packet is matched, and this is the target of the rule, the 
    packet, and all subsequent packets in the same stream will be translated, 
    and then routed on to the correct device, host or network. This target can 
    be extremely useful, for example,when you have a host running your web 
    server inside a LAN, but no real IP to give it that will work on the Internet. 
    You could then tell the firewall to forward all packets going to its own HTTP 
    port, on to the real web server within the LAN. We may also specify a 
    whole range of destination IP addresses, and the DNAT mechanism will 
    choose the destination IP address at random for each stream. Hence, we 
    will be able to deal with a kind of load balancing by doing this.     
    
        Note that the DNAT target is only available within the PREROUTING and 
    OUTPUT chains in the nat table, and any of the chains called upon from any 
    of those listed chains. Note that chains containing DNAT targets may not 
    be used from any other chains, such as  the POSTROUTING chain.
    More information can be found at http://iptables-tutorial.frozentux.n...-tutorial.html

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Jul 2008
    Posts
    5

    Thumbs up

    Thank you so much Mr Lazydog
    It works with that code:
    Code:
    #!/bin/sh
    # clear routes
    iptables -t nat -F
    # nat configuration
    iptables -t nat -A OUTPUT  -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 10080
    iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 10080
    I hope my thread will help somebody else...
    sincerely.

  6. #6
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Glad I could help.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •