Iptables DNAT on Suse 10.0
Hello,
I'd like to enable an internal http-server to the external net. My approach: All requests to a dummy-port (i.e. 8888) on my Standard-Gateway, which is the only one visible to the external net) will be redirected to the http-server I tried the following: iptables -t nat -A PREROUTING -d ${IP_GATEWAY} -p tcp --dport 8888 -j DNAT --to-destination ${IP_HTTP}:80 Nothing happens, requests like http://IP_GATEWAY:8888 fail ? Can anyone help, any comment is appreciated. Thanks in advance, Michael |
The webserver gets the port 8888 in the http headers and can't find a host/domain that matches that port.
|
Thanks for your reply !
If I understand you correcdtly, my approach fails, because the port-number is in the http-header as well ? Would it help to configure the http-server to listen on port 8888 instead of 80 ? |
That would make it work well.
Add a virtualhost that listens on port 8888 and also add a Listen directive for port 8888 in httpd.conf Leave the default settings of port 80, just add these. Then add the NAT to the ip address, eg iptables -t nat -A PREROUTING -i ${EXTIF} -p tcp --dport 8888 -j DNAT --to-destination ${IP_HTTP} |
Hello Peter !
It took me a while to implement your advice, but the internal http-server run into more basic problems. Anyway now its up again (its a camera btw), I changed the port of the webserver to 8888, but its still the same effect, no packets from outside are forwarded to the internal http-server. I found some hits regarding iptables DNAT, that it has to be accompanied by a SNAT-Statement like: iptables -t nat -A PREROUTING -d ${IP_GATEWAY} -p tcp --dport 8888 -j DNAT --to-destination ${IP_HTTP} Accomplishing SNAT: iptables -t nat -A POSTROUTING -s ${IP_HTTP} -p tcp --sport 8888 -j SNAT --to-source ${IP_GATEWAY} I tried this....but did not change anything ! On the other hand iptables-doc says that I need only to reroute the first (incoming) packet, all others follow "automatically". Maybe you have an idea what could be wrong ? Thanks anyway, Michael |
You only need the DNAT rule. The snat is handled internally by netfilter.
Avoid using -d ip.add.ress in a DNAT rule. Rather, use an interface specification, ie -i eth~ This way you can be sure exactly which packets are being changed. |
All times are GMT -5. The time now is 05:17 PM. |