Iptables

modrih · 12-26-2016, 09:52 PM

Hi!

I have server with external IP. I want redirect trafic from IP to another IP and port.

For example my server Ip adress: 80.80.80.80 and I want redirect traffic 80.80.80.80:100 to 216.58.214.78:80

I'm trying use:

Code:

sysctl net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 216.58.214.78:80

And WORKS! but only if I have traffic on 80.80.80.80:80, but when I want change to another port for example 100, i do not see Google page (216.58.214.78) when I type my server IP adress 80.80.80.80:100.

I want access to services for example
when I type: 80.80.80.80:100 -> 12.54.456.345:21
when I type: 80.80.80.80:101 -> 60.45.35.34:80
When I type: 80.80.80.80:102 -> 60.45.35.34:80 (second rule for monitoring traffic from 80.80.80.80:102)

All IP adress is External, no Internal network.

I want create many forwadings / redirections to monitoring traffic and for block traffic when is requires. Security is not important. Only I need many forwadings / preroutings to another IP and port for monitoring traffic on my server port.

Any ideas?

cliffordw · 12-27-2016, 02:58 AM

Hi there, and welcome.

I tried to emulate your problem, and I couldn't. Regarding the DNAT in general, a few comments & questions:

- Are you testing from this server, or from a different client machine? This may affect routing on the server (PREROUTING vs OUTPUT chains).
- Which client software are you using to test? With you specific example (redirecting to Google), Google's own redirects play a role too, which may break what you're trying here.
- Some browsers may also influence what happens (with their own DNS caching etc???). For me, Firefox was problematic, but other browsers worked - might just be some of my plugins though.
- I testing successfully with a simpler setup - "links" as browser, or "telnet" test, to a destination that doesn't try and redirect me

Regarding your goal to monitor traffic, a few thoughts:

- If you only want to monitor and block traffic, you don't need the DNAT. Simply routing all clients through your server, and using the MASQUERADE should do the trick. In other words, a client that uses 80.80.80.80 as its gateway, and connects to http://www.google.com/ (rather than http://80.80.80.80:100/) can still be managed by you. Simply log the traffic, and block what you don't want to allow.
- With websites running on virtual hosts, IP address based DNAT or filtering won't work. Firstly, connecting by IP rather than name won't give you the correct site, and secondly this will block / allow all sites on that IP, rather than specific sites.
- A proxy server (like http://www.squid-cache.org/) might therefore be a better solution to your problem.

I hope this helps.

Regards,

Clifford