LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-13-2005, 04:03 AM   #1
mitzadej
LQ Newbie
 
Registered: Jan 2005
Location: romania
Distribution: Debian
Posts: 12

Rep: Reputation: 0
Angry iptables DNAT redirect to web server problem


first of all i tell you what my problem is ..
1. i have my linux box that works as a router and does NAT
i have
eth0 - external ip 82.77.xxx.xxx
eth1 - internal ip 192.160.0.1

i have a ip camera inside my internal network that has incorporated a web server - 192.168.0.54

all i want to do is to redirect all incomming requests from the internet to eth0 on port 80 to the ip camera

i`ve tried
BOX# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.54:80
it doesn`t work

if any of you have a sollution for my problem i`d be glad to hear it

Last edited by mitzadej; 10-13-2005 at 04:05 AM.
 
Old 10-13-2005, 12:03 PM   #2
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
It looks correct to me.
Can you give a "iptables -t nat -L", "iptables -t mangle -L" and "iptables -t filter -L" output please?
 
Old 10-14-2005, 02:24 AM   #3
mitzadej
LQ Newbie
 
Registered: Jan 2005
Location: romania
Distribution: Debian
Posts: 12

Original Poster
Rep: Reputation: 0
rce:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.0.54:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination


rce:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination


rce:~# iptables -t filter -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
 
Old 10-14-2005, 03:33 AM   #4
Agrouf
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: LFS
Posts: 1,591

Rep: Reputation: 79
hmmm...

maybe try using the adress instead of the interface :
-d 82.77.xxx.xxx instead of -i eth0

When you say 'it doesn't work', how did you test?
Did you do it from your local network or from another computer on the internet (because it shouldn't work from your local network since traffic isn't coming from eth0)?

Last edited by Agrouf; 10-14-2005 at 03:37 AM.
 
Old 11-26-2005, 01:32 AM   #5
toru
LQ Newbie
 
Registered: Nov 2005
Posts: 2

Rep: Reputation: 0
dnat problems

I'm facing a similar problem with dnat. I set up my firewall to forward port 80 traffic to internal webserver and everything was working fine for over a week... then suddenly everything went down. So i checked by loggin into the firewall and using iptraf. iptraf shows traffic (Tcp Syn) packets coming in from outside and being sent to internal webserver. The internal webserver does not show any traffic coming in when i check via tcpdump. I restarted the firewall thinking maybe some module went crazy or something and might get fixed when i restart... all in vain... if anyone has any idea.... plz let me know... oh yeah one more thing... between the time that it was working and when it was not working i changed absolutely NOTHING on the firewall...

regards,
Bilal.
 
Old 11-26-2005, 04:15 AM   #6
karunesh
Member
 
Registered: Jan 2002
Location: India
Distribution: CentOS/Mandriva
Posts: 126

Rep: Reputation: 15
Try this 'iptables -t nat -A PREROUTING -i eth0 -p tcp -d 87.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.0.54:80'. Also just confirm that 'ip forwarding' is enables.
 
Old 11-27-2005, 10:59 AM   #7
toru
LQ Newbie
 
Registered: Nov 2005
Posts: 2

Rep: Reputation: 0
dnat problem rephrased :D

hi there.
let me explain once again. this time all internal network.
I have 3 machines
1. Firewall + Router with eth0 eth1 and ppp0 (we will only deal with eth0) 10.0.0.1
2. PC 10.0.0.100
3. Webserver (ssh enabled) 10.0.0.10

I added the following rule to my firewall machine.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9999 -j DNAT --to 10.0.0.10:22

This is just for testing dnat so i can ssh from my pc to firewall:9999 so i can connect to webserver_SSH:22

now the iptraf of firewall shows the following when i try to connect to firewall:9999

┌10.0.0.100:1270 = 2 96 S--- eth0 │
│└10.0.0.1:9999 = 0 0 ---- eth0 │
│┌10.0.0.100:1270 = 2 96 S--- eth0 │
10.0.0.10:22 = 0 0 ---- eth0 │


hence showing Syn packets going to 10.0.0.10 (webserver).

The webserver's iptraf shows :

10.0.0.100:1270 = 2 94 RESET eth0
10.0.0.10:22 = 1 48 S-A- eth0



ok so i started doubting the dnat of firewall (still not sure if that's the problem) so i tried to dnat from another port to firewall's ssh.. like this :

iptables -t nat -A PREROUTING -p tcp -d 10.0.0.1 --dport 9999 -j DNAT --to 10.0.0.1:22 -i eth0

The funny thing is that this works


now i'm totally lost. what is the problem here. can anyone help?

regards.
Bilal.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
(IPTABLES) redirect web site to a file? dmane15 Linux - Newbie 9 08-11-2008 05:53 AM
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 01:00 PM
Redirect when web server not responding Bebo Programming 6 07-29-2004 12:22 PM
Strange problem about iptables DNAT. zufeng Linux - Networking 1 06-28-2003 11:09 AM
problem about iptables DNAT. zufeng Linux - Security 3 06-19-2003 09:29 AM


All times are GMT -5. The time now is 05:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration