LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables DNAT on Suse 10.0 (https://www.linuxquestions.org/questions/linux-networking-3/iptables-dnat-on-suse-10-0-a-471514/)

mkirc 08-07-2006 03:49 AM
Iptables DNAT on Suse 10.0
 
Hello,

I'd like to enable an internal http-server to the external net.
My approach: All requests to a dummy-port (i.e. 8888) on my Standard-Gateway, which is the only one visible to the external net) will be redirected to the http-server

I tried the following:

iptables -t nat -A PREROUTING -d ${IP_GATEWAY} -p tcp --dport 8888 -j DNAT --to-destination ${IP_HTTP}:80

Nothing happens, requests like http://IP_GATEWAY:8888 fail ?

Can anyone help, any comment is appreciated.

Thanks in advance,
Michael

peter_robb 08-07-2006 05:07 AM
The webserver gets the port 8888 in the http headers and can't find a host/domain that matches that port.

mkirc 08-07-2006 05:39 AM
Thanks for your reply !
If I understand you correcdtly, my approach fails, because the port-number is in the http-header as well ?
Would it help to configure the http-server to listen on port 8888 instead of 80 ?

peter_robb 08-07-2006 09:47 AM
That would make it work well.

Add a virtualhost that listens on port 8888
and also add a Listen directive for port 8888 in httpd.conf
Leave the default settings of port 80, just add these.

Then add the NAT to the ip address, eg
iptables -t nat -A PREROUTING -i ${EXTIF} -p tcp --dport 8888 -j DNAT --to-destination ${IP_HTTP}

mkirc 08-13-2006 05:28 AM
Hello Peter !

It took me a while to implement your advice, but the internal http-server run into more basic problems. Anyway now its up again (its a camera btw), I changed the port of the webserver to 8888, but its still the same effect, no packets from outside are forwarded to the internal http-server.

I found some hits regarding iptables DNAT, that it has to be accompanied by a SNAT-Statement like:
iptables -t nat -A PREROUTING -d ${IP_GATEWAY} -p tcp --dport 8888 -j DNAT
--to-destination ${IP_HTTP}
Accomplishing SNAT:
iptables -t nat -A POSTROUTING -s ${IP_HTTP} -p tcp --sport 8888 -j SNAT
--to-source ${IP_GATEWAY}
I tried this....but did not change anything !

On the other hand iptables-doc says that I need only to reroute the first (incoming) packet, all others follow "automatically".

Maybe you have an idea what could be wrong ?

Thanks anyway,
Michael

peter_robb 08-14-2006 08:29 AM
You only need the DNAT rule. The snat is handled internally by netfilter.

Avoid using -d ip.add.ress in a DNAT rule.
Rather, use an interface specification, ie -i eth~
This way you can be sure exactly which packets are being changed.


All times are GMT -5. The time now is 05:17 PM.