Find the answer to your Linux question:
Results 1 to 5 of 5
When x.x.x.x makes a request on port 80 to y.y.y.y I would like the request to be redirected to z.z.z.z:80. I'm trying to do this with iptables under CentOS 6. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2011
    Posts
    3

    How to DNAT with iptables


    When x.x.x.x makes a request on port 80 to y.y.y.y I would like the request to be redirected to z.z.z.z:80. I'm trying to do this with iptables under CentOS 6. It might be worth mentioning that to prove the concept x.x.x.x and y.y.y.y are currently in the same local network but later I'll be trying to do this over a VPN with x.x.x.x one side of the VPN and y.y.y.y on the other. z.z.z.z is an external ip.

    Before creating any rules, when I go to y.y.y.y:80 from x.x.x.x I can connect to the http server running on y.y.y.y.

    I think I've established that I need to create a DNAT rule. I've done this as follows:
    Code:
    iptables -t nat -A PREROUTING -p tcp -s x.x.x.x -d y.y.y.y --dport 80 -j DNAT --to-destination z.z.z.z:80
    When trying to connect to y.y.y.y the connection times out. I realised ip forwarding was disabled, so issued:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    This then stops the timeout but still doesn't connect to the http server on z.z.z.z.

    Someone suggested that I need to create an SNAT rule because x.x.x.x and y.y.y.y are currently on the same network. I'm not sure if I've done this correctly or not:
    Code:
    iptables -A POSTROUTING -t nat -s x.x.x.0/24 -o eth0 -j SNAT --to-source x.x.x.x
    If anyone has a suggestion on how I can get this working I'd really appreciate their help.

    Thanks,

    James

  2. #2
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    Unless the machines are physically connected to the firewall/router, as in transparent mode, they won't get filtered. I'm gonna go out on a limb and assume this is the default gateway. And since they are on the same network, they won't reach the gateway, since the ARPs are going to be local.

    So really the only way to make it work is to ensure it is setup like this:
    Code:
                                      xxxx
                                        |
                                        |
                                   firewall/gateway ------ zzzz
                                        |
                                        |
                                      yyyy
    Is this how its set up?
    linux user # 503963

  3. #3
    Just Joined!
    Join Date
    Nov 2011
    Posts
    3
    Thanks very much for coming back to me, I'm tearing my hair out here! Layout is as follows:

    Code:
    xxxx------
                |-------router-----INTERNET------zzzz
    yyyy------
    z.z.z.z is a public ip. x.x.x.x and y.y.y.y are both internal addresses behind a router. In order to gain some further understanding I've tried a couple of different things:

    Port redirection using DNAT
    I tried flushing and setting the rule on y.y.y.y to:
    Code:
    iptables -t nat -A PREROUTING -p tcp --dport 8000 -j DNAT --to-destination y.y.y.y:80
    which works fine when connecting from x.x.x.x or from z.z.z.z (using the external ip of the router + port forwarding 8000)


    Changing destination to an internal address rather than external
    I've also tried flushing and setting the rule on y.y.y.y to:
    Code:
    iptables -t nat -A PREROUTING -p tcp --dport 8000 -j DNAT --to-destination x.x.x.x:80
    connecting from z.z.z.z which doesn't work.


    It seems I just can't get it to forward the packets on to different ips.

  4. #4
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    As far as getting z.z.z.z to talk back, in your second section, do you have a masquerade rule? To make all your outbound traffic appear to be coming from one IP?

    Code:
    iptables -t nat -A POSTROUTING -o $outside_interface -j MASQUERADE
    You'll also need a rule to write the original packet back. Since your are expecting a packet on port 8000, you need a rule to return your port 80 traffic back to that. Maybe something like:

    Code:
    iptables -t nat -A PREROUTING -i $internal_interface -p tcp --sport 80 -j REDIRECT --to-ports 8000
    Or something similar to that. PREROUTING rules are applied before POSTROUTING, remember that.
    linux user # 503963

  5. #5
    Just Joined!
    Join Date
    Nov 2011
    Posts
    3
    Wow, you're an absolute star, I can't thank you enough.

    I didn't seem to need that last redirect rule. To clarify for anyone viewing this thread, my rules are

    Code:
    iptables -t nat -A PREROUTING -p tcp --dport 8000 -j DNAT --to z.z.z.z:80
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    The things this has accomplished are:

    • request from x.x.x.x to y.y.y.y:8000 results in a connection to the z.z.z.z:80
    • a request from anywhere to the external address of the router on port 8000 goes to y.y.y.y:8000 by using port forwarding and then y.y.y.y returns the page from z.z.z.z:80


    It's absolutely brilliant news, thankyou so much for your time!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •