iptables forwarding setting

fj8283888 · 03-14-2007, 02:28 AM

Hi,

how to do the forwarding in iptables

I would like to forward xxx.xxx.xxx.xxx:1234 to www.abc.net:1234

is it possible to use domain instead. I can set it, if I use ip address of www.abc.net the thing is the website is not a fixed ip

thank you heaps

mether · 03-14-2007, 03:43 AM

As far as i know fowarding ( iptables ) work with IP only. What you need is possible with IP's using SNAT. Below doc can be helpful :

http://www.redhat.com/docs/manuals/e...l-ipt-fwd.html

fj8283888 · 03-14-2007, 04:29 AM

so, how to change it??

mehdi.sadighian · 03-14-2007, 06:22 AM

IT SEEMS THAT YOU WANT TO HAVE A DESTINATION NAT.
YOU WANT TO FORWARD THE PACKETS THAT ARE GOING TO xxx.xxx.xxx.xxx:1234 TO www.abc.net:1234.

IT REQUIRE A DENSTINATION NAT THAT MEANS IT.
IF IT'S TRUE YOU SHOULD WRITE SOME COMMANDS LIKE THIS, BUT NOT EXACTLY THIS BECAUSE IM NOT HAVE A LINUX BOX NOW TO TRY UT FIRST:

iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp --dport 1234 -j DNAT --to-destination www.abc.net:1234

echo 1 > /proc/sys/net/ipv4/ip_forward

IT WILL WORK WITH THE DOMAIN NAMES IF THE DNS SERVER IS VALID AND CAN RESOLVE THE DOMAIN NAMES(CHECK THE /etc/resolve.conf).

EXAMPLE:

iptables -t nat -A PREROUTING -d www.yahoo.com -p tcp --dport 80 -j DNAT --to-destination www.google.com

GOOD LUCK.

win32sux · 03-14-2007, 06:36 AM

AFAICT, domain names won't work in the PREROUTING chain like they do with other chains (please correct me if i'm wrong)... either way, you'd need to keep your iptables box informed about what dynamic IP is assigned to the domain name at the time (smells like a cron job maybe)... the rule would then need to be changed whenever the IP changes... an illustration of a possible cron job:

Code:

ABC_IP=`ping -c1 -n abc.net | head -n 2 | grep icmp_seq | \
awk '{print $4}' | awk -F ':' '{print $1}'`

iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 1234 \
-j DNAT --to-destination $ABC_IP

NOTE: yes, i know this illustration is quite ugly... the method i used to get the IP kinda sucks, plus this also lacks a way to get rid of the old rule, etc, etc, etc... =/

fj8283888 · 03-14-2007, 08:02 PM

It's working thx

Quote:

Originally Posted by win32sux

AFAICT, domain names won't work in the PREROUTING chain like they do with other chains (please correct me if i'm wrong)... either way, you'd need to keep your iptables box informed about what dynamic IP is assigned to the domain name at the time (smells like a cron job maybe)... the rule would then need to be changed whenever the IP changes... an illustration of a possible cron job:

Code:

ABC_IP=`ping -c1 -n abc.net | head -n 2 | grep icmp_seq | \
awk '{print $4}' | awk -F ':' '{print $1}'`

iptables -t nat -A PREROUTING -p TCP -d xxx.xxx.xxx.xxx --dport 1234 \
-j DNAT --to-destination $ABC_IP

NOTE: yes, i know this illustration is quite ugly... the method i used to get the IP kinda sucks, plus this also lacks a way to get rid of the old rule, etc, etc, etc... =/