Prerouting In Intranet
Hi all,
I have two webservers in an Intranet, one on 192.168.0.1, port 80, the other on on 192.168.0.5 port 80. Each machine has only one ethernet card, attached to the same switch.Now I want to take away the first webserver In order to do this transparently, I thought of using a redirect rule. Thus, on 192.168.0.1 I tried the following command: iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 80 -j DNAT --to 192.168.0.5:80 iptables -t nat -A PREROUTING -p udp -d 192.168.0.1 --dport 80 -j DNAT --to 192.168.0.5:80 For testing reasons, all the plicies on both machines are set to ACCEPT. iptables -t nat -L -n yields: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:80 to:192.168.0.5:80 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:80 to:192.168.0.5:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination With these rules, I thought an attempt to reach 192.168.0.1:80 would lead me to 192.168.0.5:80. But the latter one doesn't see anything. What i am really missing?Please give me an advise Ajayan |
You might need to turn forwarding on for this to work. echo 1 > /proc/sys/net/ipv4/ip_forward (you can usually set it permanently in /etc/sysctl.conf)
|
Quote:
|
You need to do an SNAT on the way out, so that the packets get the source address of the proxy. Otherwise, the return packet goes directly from the .5 web server to the client. This is a problem since the client made the request of .1, not .5.
|
All times are GMT -5. The time now is 10:39 AM. |