We have a large network with several vlans and thousands of workstations. One of our vlans has just our firewall and content filters. We need to redirect all of our outging http traffic to the content filters. Our cisco will redirect port 80 traffic to any box I choose. Our software vendor just phased out thie Linux version of the software and we need to go to Windows. With linux we just redirected the port 80 traffic to port 8002 and the software filtered it. Now I want to put a Linux box in between to port forward the traffic from port 80 to port 8002 on the windows box.
This is what I've done so far:
RedHat 7.3 with 2 nics, ip_forward=1. One nic is in our inside vlan, the other is in the firewall/content filter vlan (still inside the firewall). I used the following commands:

iptables -t nat -A PREROUTING -i eth1 -p tcp -d 172.30.5.88 --dport 80 -j DNAT --to 172.20.4.20:8002

iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 172.20.4.20 --dport 8002 -j ACCEPT

eth1 is my inside nic 172.30.5.88 (in our main subnet)
eth0 is in the firewall/filtering vlan 172.20.4.10

What am I doing wrong? Can I even do this? Is there an easier way?

Thanks,

Tom

The problem is that if a computer tries to contact a host with IP a.b.c.d on port 80, the reply will come back from 172.20.4.20.
It's not expecting replies from this host, so it won't work.

Don't know how to fix it though =]

Hi,
Thanks for replying so quickly. If this can't work, can you please explain the difference between running redirect in ipchains on the same box (which is what we were doing and it worked) and using port forwarding to a different box with iptables? Anyone else have any ideas on how to get 6000 pc's proxied to a content filter without visiting each machine?

Thanks,

Tom

The thing is that normally it works like this:

user -> forwarder -> server

- user contacts forwarder for a service that is actually running on server
- DNAT replaces the destination 'forwarder' with the real destination IP 'server' and sends the packet on
- the reply is sent with source 'server' and destination 'user'
- the forwarder replaces source 'server' with its own IP and sends it on
- user thinks it's talking to forwarder and is expecting source address 'forwarder' in the reply packet, so it all works out

The only way I can see it work in your case is if:
- the cisco rewrites port 80 traffic for any destination to have destination 'forwarder'
- the cisco rewrites the source address of reply packets to match the original destination (if this isn't the case, you can stop reading)
- the forwarder has these lines:

I tried the code and packets are getting forwarded. But, they are not getting filtered by the right box. Near as I can tell, the packets get forwarded from the .88 box eth1 right back out to eth0 and back to the cisco where they find another rule in the access-list to match and go there normal way (I added an access-list for 1 machine to try this whole thing out). I know the content filter works because I can proxy my browser to it.

Thanks again,

Tom

I thought your setup was like this:

Am I mistaken?

It would be best if you have sniffers on both the forwarder and the server so you can see what is arriving where.

A good sniffer for linux is Ethereal, but you can use tcpdump if you do not want to install any new software. For windows I usually use Iris, but it's commercial. I don't know of any free sniffers for Windows.

You've got it pretty much correct. The subnet with eth0 and 172.20.4.20 and the firewall also attatches to the cisco as a separate vlan, fully routed. Our ATM to the internet also lives in the same cisco box (6509 with layer 3, ATM, 16 Gig-e ports (all vlans and all in production)). I really do appreciate all of your help. I'm not really getting what's going on here, but I'll see if I can get our guy with the sniffer to help me figure it out.

Thanks again,

Tom