routing traffic with iptables

[polloxx]

Dear,

I want to forward webtraffic to a server to another server depending on the port used.

I'll explain what I want to do.

we have several customers who are a running a server from us.
Because they have dynamic IP's and using NAT we have setup reverse ssh tunnels to one internal server (with IP 10.0.0.1) in our netwerk. So we have tunnels like:

127.0.0.1 port 2001 is customer 1
127.0.0.1 port 2002 is customer 2
127.0.0.1 port 2003 is customer 3
etc......

Now I've setup a second tunnel for http

127.0.0.1 port 8001 is customer 1 (http)
127.0.0.1 port 8002 is customer 2 (http)
etc....

When I telnet to 127.0.0.1 8001 I can connect to the remote webserver.
So far so good.

Now I want to be able to surf to 10.0.0.1:8001 and being forwarded to customer 1 port 8001
to support the server.

I know it should work with one or two iptables rules but I'm stuck.
Who can help me?

thank you,
P.

[kazzmir]

I think you want a DNAT rule. DNAT alters the packets destination before the routing table sees it.

On your server (10.0.0.1) add a rule for traffic flowing to 8001 and redirect it to customer1:8001

$ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8001 -d 10.0.0.1 --to-destination customer1:8001

I'm pretty sure this will work, otherwise maybe an SNAT rule will work.

[polloxx]

thx for your reply kazzmir,

I tried your suggestion with

$ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8001 -d 10.0.0.1 --to-destination 127.0.0.1:8001

The tunnel to 10.0.0.1 8001 is working properly, because if I telnet to 127.0.0.1 8001 on 10.0.0.1 I'm on the remote webserver.
But surfing to 10.0.0.1:8000 just waits endless...

Using SNAT generated an error:
iptables v1.3.6: Unknown arg `--to-destination'
Try `iptables -h' or 'iptables --help' for more information.

Any other suggestions?

Thank you,
P.

[Lazydog]

Since you are looking to use the 127.0.0.1 you might want to try to REDIRECT the packets.
I think this is what you need to use and not DNAT.

[kazzmir]

The rule you added is only for port 8001. If you want to forward port 8000 then you need an additional rule for that port.

$ iptables -t nat -A PREROUTING -j DNAT -p tcp --dport 8000 -d 10.0.0.1 --to-destination 127.0.0.1:8000

But probably you should use the REDIRECT rule as lazydog says. It accomplishes the same thing but probably more efficiently.

(just a wild guess here)
$ iptables -t nat -A PREROUTING -p tcp --dport 8001 -s 10.0.0.1 -j REDIRECT --to-ports 8001

[polloxx]

@lazydog

I tried:
iptables -t nat -A PREROUTING -p tcp --dport 8001 -j REDIRECT --to-ports 8000

but the server seem not to listing on tcp/8001


@kazzmir

sorry, a typo. should be:
"But surfing to 10.0.0.1:8001 just waits endless..."

[kazzmir]

I'm confused now. So the 10.0.0.1 box is the same box that has the ssh tunnels, right? 127.0.0.1 on that box is just localhost so if port 8001 is open then it should be accessible from 127.0.0.1:8001 and 10.0.0.1:8001.

Does the box you surf from route through the 10.0.0.1 box?

[Lazydog]

@lazydog

I tried:
iptables -t nat -A PREROUTING -p tcp --dport 8001 -j REDIRECT --to-ports 8000

but the server seem not to listing on tcp/8001


@kazzmir

sorry, a typo. should be:
"But surfing to 10.0.0.1:8001 just waits endless..."

Leave the '-to-port' off. Only time you need to add the port is when you are changing the port. In this case you are not doing any port changing.

I believe you are more confused about what you want to do then you think.

[polloxx]

@ lazydog: might be.

I've made a little drawing to make it clear.

This is what I want to establish: imagebin.ca/viewT6EX_v4.html

no 1 is the tunnel from the customer server to our shell server. (btw: this part works)
no 2 is the connect back to customer server on http
from my client-browser. For that part I need iptables (I think)

[polloxx]

imagebin.ca/view/T6EX_v4.html