Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
Dear, I want to forward webtraffic to a server to another server depending on the port used. I'll explain what I want to do. we have several customers who are ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Posts
    11

    routing traffic with iptables


    Dear,

    I want to forward webtraffic to a server to another server depending on the port used.

    I'll explain what I want to do.

    we have several customers who are a running a server from us.
    Because they have dynamic IP's and using NAT we have setup reverse ssh tunnels to one internal server (with IP 10.0.0.1) in our netwerk. So we have tunnels like:

    127.0.0.1 port 2001 is customer 1
    127.0.0.1 port 2002 is customer 2
    127.0.0.1 port 2003 is customer 3
    etc......

    Now I've setup a second tunnel for http

    127.0.0.1 port 8001 is customer 1 (http)
    127.0.0.1 port 8002 is customer 2 (http)
    etc....

    When I telnet to 127.0.0.1 8001 I can connect to the remote webserver.
    So far so good.

    Now I want to be able to surf to 10.0.0.1:8001 and being forwarded to customer 1 port 8001
    to support the server.

    I know it should work with one or two iptables rules but I'm stuck.
    Who can help me?

    thank you,
    P.

  2. #2
    Just Joined!
    Join Date
    May 2009
    Posts
    8
    I think you want a DNAT rule. DNAT alters the packets destination before the routing table sees it.

    On your server (10.0.0.1) add a rule for traffic flowing to 8001 and redirect it to customer1:8001

    $ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8001 -d 10.0.0.1 --to-destination customer1:8001

    I'm pretty sure this will work, otherwise maybe an SNAT rule will work.

  3. #3
    Just Joined!
    Join Date
    May 2009
    Posts
    11
    thx for your reply kazzmir,

    I tried your suggestion with

    $ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8001 -d 10.0.0.1 --to-destination 127.0.0.1:8001

    The tunnel to 10.0.0.1 8001 is working properly, because if I telnet to 127.0.0.1 8001 on 10.0.0.1 I'm on the remote webserver.
    But surfing to 10.0.0.1:8000 just waits endless...

    Using SNAT generated an error:
    iptables v1.3.6: Unknown arg `--to-destination'
    Try `iptables -h' or 'iptables --help' for more information.

    Any other suggestions?

    Thank you,
    P.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Since you are looking to use the 127.0.0.1 you might want to try to REDIRECT the packets.
    I think this is what you need to use and not DNAT.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    May 2009
    Posts
    8
    The rule you added is only for port 8001. If you want to forward port 8000 then you need an additional rule for that port.

    $ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8000 -d 10.0.0.1 --to-destination 127.0.0.1:8000

    But probably you should use the REDIRECT rule as lazydog says. It accomplishes the same thing but probably more efficiently.

    (just a wild guess here)
    $ iptables -t nat -A PREROUTING -p tcp --dport 8001 -s 10.0.0.1 -j REDIRECT --to-ports 8001

  6. #6
    Just Joined!
    Join Date
    May 2009
    Posts
    11
    @lazydog

    I tried:
    iptables -t nat -A PREROUTING -p tcp --dport 8001 -j REDIRECT --to-ports 8000

    but the server seem not to listing on tcp/8001


    @kazzmir

    sorry, a typo. should be:
    "But surfing to 10.0.0.1:8001 just waits endless..."

  7. #7
    Just Joined!
    Join Date
    May 2009
    Posts
    8
    I'm confused now. So the 10.0.0.1 box is the same box that has the ssh tunnels, right? 127.0.0.1 on that box is just localhost so if port 8001 is open then it should be accessible from 127.0.0.1:8001 and 10.0.0.1:8001.

    Does the box you surf from route through the 10.0.0.1 box?

  8. #8
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by polloxx View Post
    @lazydog

    I tried:
    iptables -t nat -A PREROUTING -p tcp --dport 8001 -j REDIRECT --to-ports 8000

    but the server seem not to listing on tcp/8001


    @kazzmir

    sorry, a typo. should be:
    "But surfing to 10.0.0.1:8001 just waits endless..."
    Leave the '-to-port' off. Only time you need to add the port is when you are changing the port. In this case you are not doing any port changing.

    I believe you are more confused about what you want to do then you think.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  9. #9
    Just Joined!
    Join Date
    May 2009
    Posts
    11
    @ lazydog: might be.

    I've made a little drawing to make it clear.

    This is what I want to establish: imagebin.ca/viewT6EX_v4.html

    no 1 is the tunnel from the customer server to our shell server. (btw: this part works)
    no 2 is the connect back to customer server on http
    from my client-browser. For that part I need iptables (I think)

  10. #10
    Just Joined!
    Join Date
    May 2009
    Posts
    11
    imagebin.ca/view/T6EX_v4.html

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •