LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-06-2009, 02:50 PM   #1
a550ee
LQ Newbie
 
Registered: Apr 2006
Posts: 16

Rep: Reputation: 0
Need help configuring iptables NAT


Hello!

I have linux box connected to internet and have static ip addres $A1;
Linux box runs web server listening on port $P1.

I want configure iptables to redirect http requests from linux box
to particular addresses in internet (say $A2) to local web server on
port $P1;

For example when user on linux box hits google.com in browser
he sees google.com, but when he hits http://$A2 he sees
actually $A1:$P1.

Linux box is very short on RAM and I cant run squid on it.
 
Old 04-06-2009, 04:54 PM   #2
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
You can achieve this effect for the browser running on your Linux box, by putting a rule like this into your iptables nat chain
Code:
#iptables -t nat -A PREROUTING -d{$A2} -j DNAT --to-destination {$A1}:{$P1}
If your httpd server is listening on the loopback interface as well as $A1, you might substitute 127.0.0.1:80, for example, for the destination address.

If this linux box is really short of memory, though, and you are running a browser on it, you are bound to have troubles (or at least slowness) when browsing. It would seem with the price of memory these days, it would be a good investment to add memory.

If, on the other hand, you want to have the linux box redirect requests coming from behind the box (from local computers), that same iptables rule will work, but you will need to make sure that the other boxes specify their default route as the linux box in question.
 
Old 04-07-2009, 03:32 AM   #3
a550ee
LQ Newbie
 
Registered: Apr 2006
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by dkm999 View Post
You can achieve this effect for the browser running on your Linux box, by putting a rule like this into your iptables nat chain
Code:
#iptables -t nat -A PREROUTING -d{$A2} -j DNAT --to-destination {$A1}:{$P1}
If your httpd server is listening on the loopback interface as well as $A1, you might substitute 127.0.0.1:80, for example, for the destination address.
Rule requires protocol specification "-p tcp"; and it doesn't work. According to this manual http://iptables-tutorial.frozentux.n...-tutorial.html, section 6: packets from localhost doesn't travel through PREROUTING chain at all.

Quote:
Originally Posted by dkm999 View Post
If, on the other hand, you want to have the linux box redirect requests coming from behind the box (from local computers), that same iptables rule will work, but you will need to make sure that the other boxes specify their default route as the linux box in question.
This would be great but first objective is to redirect packets from localhost;
 
Old 04-07-2009, 04:12 AM   #4
rossonieri#1
Member
 
Registered: Jun 2007
Posts: 359

Rep: Reputation: 34
hello,

Quote:
For example when user on linux box hits google.com in browser
he sees google.com, but when he hits http://$A2 he sees
actually $A1:$P1.
your example above - google.com - refers to LVS/load balancer job - not a basic redirection.
you can achieve your goal using either :
- that LVS or
- simply basic remote web root directory on $A2 web server pointing to $A1 web root
- http reversed proxy

and its not that easy of course.

HTH.
 
Old 04-07-2009, 08:09 AM   #5
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
You are correct; the PREROUTING chain is only consulted for packets arriving from other hosts. According to the manpage for iptables, though, the nat table also contains an OUTPUT chain, into which you can put the same rule in order to redirect locally-generated packets. Sorry for the incompleteness of my previous posting; it was late, and I am on the road, where I cannot so easily consult all the data I normally have at my fingertips.

Once you pass this hurdle, the PREROUTING chain is the right place to put any rules that are intended to redirect traffic passing through the boundary machine.
 
Old 04-08-2009, 01:52 PM   #6
a550ee
LQ Newbie
 
Registered: Apr 2006
Posts: 16

Original Poster
Rep: Reputation: 0
I'm trying this rule and it says: "Target problem"

Code:
iptables -t nat -I OUTPUT 1 -p tcp -d $A2 --dport 80  -j DNAT --to $A1:$P1
 
Old 04-08-2009, 07:17 PM   #7
dkm999
Member
 
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407

Rep: Reputation: 35
Unfortunately, iptables is not as discerning as you might like about its arguments. You need to specify --to-destination in the command where you used --to. And I am assuming that you either are supplying $A1, $A2, and $P1 as variables to some script that you have extracted, or are making the actual IP address and port arguments valid in some other way.
 
  


Reply

Tags
iptables, nat, networking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: can't initialize iptables table `NAT' linuxgentoo Linux - Kernel 3 01-17-2010 10:15 AM
Configuring Nat Server in Linux winxandlinx Linux - Networking 13 12-24-2006 02:22 AM
IPTABLES : build NAT using IPTABLES joseph Linux - Networking 4 04-23-2004 05:08 AM
help with configuring a firewall and NAT fhiggins Linux - Networking 0 09-26-2003 02:55 PM
IPtables +NAT daromer Linux - Networking 1 01-07-2002 11:15 AM


All times are GMT -5. The time now is 01:53 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration