Forward packets with iptables

savona · 10-24-2011, 03:43 PM

I am looking to forward packets to a proxy server from a machine that does not have access to the proxy. The proxy operates on port 80.

If you look at my rather crude drawing below you will see the basic setup of my network. I need machine #2 to forward all packets on port 80 and port 443 coming from machine 1 to proxy:80.

Obviously I also need that packets to make it back to machine #1.

Anyway I can do this with IPTABLES? Any help would be greatly appreciated.

lqman · 10-25-2011, 03:45 AM

Yes, you can do it with iptables.

Use iptables to setting up port-forwarding on machine#2 to forward all tcp request (dst-port 80 & 443) originate from machine#1 to proxy:80

savona · 10-25-2011, 07:17 AM

Quote:

Originally Posted by lqman

Yes, you can do it with iptables.

Use iptables to setting up port-forwarding on machine#2 to forward all tcp request (dst-port 80 & 443) originate from machine#1 to proxy:80

Thanks but how can I do that?

simonmcnair · 10-27-2011, 03:46 AM

you could try this, modified to suit your needs. It works on mine, but then I'm not trying to tunnel IPSEC so your mileage may vary.

iptables --append FORWARD --in-interface br0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 10.10.10.1

simonmcnair · 10-27-2011, 03:49 AM

and don't forget
sysctl -w net.ipv4.ip_forward=1

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

simonmcnair · 10-27-2011, 03:55 AM

ooooh, I forgot. I posted about an online iptables generator the other day :-)

https://plus.google.com/100303566317...ts/MwzeZbpHzci

Simon

lqman · 10-27-2011, 11:00 PM

I assume your ip sec tun interface is tun0.

iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j DNAT --to 192.168.1.12:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and as simonmcnair said, don't forget to set ip_forwarding
sysctl -w net.ipv4.ip_forward=1

lqman · 10-28-2011, 12:37 AM

I assume your ip sec tun interface is tun0.

iptables -t nat -A PREROUTING -i tun0 -s 10.0.0.6 -p tcp --dport 80 -j DNAT --to 192.168.1.12:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and as simonmcnair said, don't forget to set ip_forwarding
sysctl -w net.ipv4.ip_forward=1

fhleung · 10-31-2011, 03:52 AM

Hi folks,

I got similar question and hope to get feedback. I had no proxy box but instead was router so only 2 boxes.
Again, what I want is: machine#2 to forward packets from machine#1 and vice versa

From the diagram, machine#2 had 2 NIC,
assume eth0 connect to proxy,
and eth1 connect to machines#1 which private ip is 10.0.0.6

Code:

machine#2 ifconfig -a
eth0 inet 192.168.1.13

eth1 inet UNKNOWN

My first question was: the private ip/inet UNKNOWN of eth1 has to be same class like 10.0.x.y?
Can it be 192.168.*.* ?

fhleung · 11-08-2011, 02:09 AM

Quote:

Originally Posted by lqman

I assume your ip sec tun interface is tun0.
iptables -t nat -A PREROUTING -i tun0 -s 10.0.0.6 -p tcp --dport 80 -j DNAT --to 192.168.1.12:80
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Only above two iptables statements would WORK?
Need the iptables FORWARD chain statement?

lqman · 11-09-2011, 08:35 PM

Quote:

Only above two iptables statements would WORK?
Need the iptables FORWARD chain statement?

Yes it works in savona case.
Try to adjust it for your case.

No need FORWARD chain statement.