LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-02-2010, 12:59 PM   #1
rvn2k2
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Rep: Reputation: 0
Question about ip/port redirection


Hey guys.. I've got a question, I have "Server A" with real internet ip 1.2.3.4 (eth0) and lan ip 192.168.1.1 (eth1)
There's also "Server B" with lan ip 192.168.1.2 (eth0), I'm running an Apache Web server on "Server B", so I want to redirect all traffic from IP 1.2.3.4 port 80 (Server A) to 192.168.1.2 port 80 (Server B), using the following rule:


Code:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80
This actually works pretty good, from internet I can browse ttp://1.2.3.4
But the problem is that if I check the Apache logs, all incoming connections seems to come from 192.168.1.1 instead of showing the real source ip addresses (internet ip's) so this is screwing up all my web stats, I've been looking for hours and hours on how to make a transparent redirect, but can't find any info, I know there must be a way because my old WRT54G router which uses iptables could do it.

Please help, thanks
 
Old 02-02-2010, 01:27 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
What did you expect? You used NAT chain, nat will change IP, it can't do it different way.
You need bridge, to keep original IP.
 
Old 02-02-2010, 01:31 PM   #3
rvn2k2
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
I'm not very good at this, could you give me an example to accomplish what I need? pleeeeease
 
Old 02-02-2010, 01:53 PM   #4
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
You want to use PREROUTING.

This link might be helpful:

http://ha.redhat.com/docs/manuals/en...rerouting.html
 
Old 02-02-2010, 02:15 PM   #5
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Bridge will send everything from one eth to other, and I do not really know if it is possible to separate something to local process.
The only way, I think, is to give real IP to server "b" with Apache, and filter only port 80 for it.
 
Old 02-02-2010, 02:30 PM   #6
rvn2k2
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
Already using PREROUTING in my rule..

Now the million dollar question, is how come CISCO routers, cheap routers (d-link, linksys, etc) and even software firewalls like pFsense, can do this trick?

 
Old 02-02-2010, 02:41 PM   #7
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Wait a second. I am also behind 3 NATs, but I can see sources addresses.

Last edited by nimnull22; 02-02-2010 at 02:48 PM.
 
Old 02-02-2010, 02:54 PM   #8
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
You know try to remove
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Leave only:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80

echo 1 > /proc/sys/net/ipv4/ip_forward

Last edited by nimnull22; 02-02-2010 at 02:55 PM.
 
Old 02-02-2010, 02:56 PM   #9
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
And MASQUERADE is not good, better to use SNAT. But it is latter.
 
Old 02-02-2010, 03:02 PM   #10
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <YOUR_REAL_IP>


This should be better.

Last edited by nimnull22; 02-02-2010 at 03:05 PM.
 
Old 02-02-2010, 07:01 PM   #11
rvn2k2
LQ Newbie
 
Registered: Feb 2010
Posts: 6

Original Poster
Rep: Reputation: 0
So the line should be this?
Because it didn't even open the port

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80

echo 1 > /proc/sys/net/ipv4/ip_forward
 
Old 02-02-2010, 07:25 PM   #12
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Can you post output of:
iptables-save

Thanks

And check, may be you have some filters on Apache

Last edited by nimnull22; 02-02-2010 at 07:31 PM.
 
Old 02-02-2010, 07:56 PM   #13
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Southern Brazil
Distribution: Debian, CentOS
Posts: 296

Rep: Reputation: 31
Try it:

Quote:
#telnet $ip_address 80
in order to test if the port 80 is opened.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Port redirection from 8080 to 80 akhtar.bhat Linux - Networking 2 10-21-2009 05:21 AM
Need help with Cisco port redirection / port triggering kool_kid Linux - Networking 0 08-06-2009 02:25 AM
Port 80 redirection omlex Linux - Security 1 02-20-2005 03:22 PM
Port Redirection JonChristmas Linux - Networking 1 09-04-2004 03:19 AM
VNC port redirection sqn Linux - Networking 5 11-18-2003 09:38 PM


All times are GMT -5. The time now is 09:41 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration