LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables DNAT redirect to web server problem (http://www.linuxquestions.org/questions/linux-networking-3/iptables-dnat-redirect-to-web-server-problem-372551/)

mitzadej 10-13-2005 04:03 AM

iptables DNAT redirect to web server problem
 
first of all i tell you what my problem is ..
1. i have my linux box that works as a router and does NAT
i have
eth0 - external ip 82.77.xxx.xxx
eth1 - internal ip 192.160.0.1

i have a ip camera inside my internal network that has incorporated a web server - 192.168.0.54

all i want to do is to redirect all incomming requests from the internet to eth0 on port 80 to the ip camera

i`ve tried
BOX# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.54:80
it doesn`t work

if any of you have a sollution for my problem i`d be glad to hear it

Agrouf 10-13-2005 12:03 PM

It looks correct to me.
Can you give a "iptables -t nat -L", "iptables -t mangle -L" and "iptables -t filter -L" output please?

mitzadej 10-14-2005 02:24 AM

rce:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.54:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


rce:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination


rce:~# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Agrouf 10-14-2005 03:33 AM

hmmm...

maybe try using the adress instead of the interface :
-d 82.77.xxx.xxx instead of -i eth0

When you say 'it doesn't work', how did you test?
Did you do it from your local network or from another computer on the internet (because it shouldn't work from your local network since traffic isn't coming from eth0)?

toru 11-26-2005 01:32 AM

dnat problems
 
I'm facing a similar problem with dnat. I set up my firewall to forward port 80 traffic to internal webserver and everything was working fine for over a week... then suddenly everything went down. So i checked by loggin into the firewall and using iptraf. iptraf shows traffic (Tcp Syn) packets coming in from outside and being sent to internal webserver. The internal webserver does not show any traffic coming in when i check via tcpdump. I restarted the firewall thinking maybe some module went crazy or something and might get fixed when i restart... all in vain... if anyone has any idea.... plz let me know... oh yeah one more thing... between the time that it was working and when it was not working i changed absolutely NOTHING on the firewall...

regards,
Bilal.

karunesh 11-26-2005 04:15 AM

Try this 'iptables -t nat -A PREROUTING -i eth0 -p tcp -d 87.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.54:80'. Also just confirm that 'ip forwarding' is enables.

toru 11-27-2005 10:59 AM

dnat problem rephrased :D
 
hi there.
let me explain once again. this time all internal network.
I have 3 machines
1. Firewall + Router with eth0 eth1 and ppp0 (we will only deal with eth0) 10.0.0.1
2. PC 10.0.0.100
3. Webserver (ssh enabled) 10.0.0.10

I added the following rule to my firewall machine.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9999 -j DNAT --to 10.0.0.10:22

This is just for testing dnat so i can ssh from my pc to firewall:9999 so i can connect to webserver_SSH:22 :D

now the iptraf of firewall shows the following when i try to connect to firewall:9999

┌10.0.0.100:1270 = 2 96 S--- eth0 │
│└10.0.0.1:9999 = 0 0 ---- eth0 │
│┌10.0.0.100:1270 = 2 96 S--- eth0 │
10.0.0.10:22 = 0 0 ---- eth0 │


hence showing Syn packets going to 10.0.0.10 (webserver).

The webserver's iptraf shows :

10.0.0.100:1270 = 2 94 RESET eth0
10.0.0.10:22 = 1 48 S-A- eth0



ok so i started doubting the dnat of firewall (still not sure if that's the problem) so i tried to dnat from another port to firewall's ssh.. like this :

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 9999 -j DNAT --to 10.0.0.1:22 -i eth0

The funny thing is that this works :D


now i'm totally lost. what is the problem here. can anyone help?

regards.
Bilal.


All times are GMT -5. The time now is 11:29 PM.