Need help configuring iptables NAT
 

Hello!

I have linux box connected to internet and have static ip addres $A1;
Linux box runs web server listening on port $P1.

I want configure iptables to redirect http requests from linux box
to particular addresses in internet (say $A2) to local web server on
port $P1;

For example when user on linux box hits google.com in browser
he sees google.com, but when he hits http://$A2 he sees
actually $A1:$P1.

Linux box is very short on RAM and I cant run squid on it.

You can achieve this effect for the browser running on your Linux box, by putting a rule like this into your iptables nat chain If your httpd server is listening on the loopback interface as well as $A1, you might substitute 127.0.0.1:80, for example, for the destination address.

If this linux box is really short of memory, though, and you are running a browser on it, you are bound to have troubles (or at least slowness) when browsing. It would seem with the price of memory these days, it would be a good investment to add memory.

If, on the other hand, you want to have the linux box redirect requests coming from behind the box (from local computers), that same iptables rule will work, but you will need to make sure that the other boxes specify their default route as the linux box in question.

Rule requires protocol specification "-p tcp"; and it doesn't work. According to this manual http://iptables-tutorial.frozentux.n...-tutorial.html, section 6: packets from localhost doesn't travel through PREROUTING chain at all.

This would be great but first objective is to redirect packets from localhost;

hello,

your example above - google.com - refers to LVS/load balancer job - not a basic redirection.
you can achieve your goal using either :
- that LVS or
- simply basic remote web root directory on $A2 web server pointing to $A1 web root
- http reversed proxy

and its not that easy of course.

HTH.

You are correct; the PREROUTING chain is only consulted for packets arriving from other hosts. According to the manpage for iptables, though, the nat table also contains an OUTPUT chain, into which you can put the same rule in order to redirect locally-generated packets. Sorry for the incompleteness of my previous posting; it was late, and I am on the road, where I cannot so easily consult all the data I normally have at my fingertips.

Once you pass this hurdle, the PREROUTING chain is the right place to put any rules that are intended to redirect traffic passing through the boundary machine.

I'm trying this rule and it says: "Target problem"

Unfortunately, iptables is not as discerning as you might like about its arguments. You need to specify --to-destination in the command where you used --to. And I am assuming that you either are supplying $A1, $A2, and $P1 as variables to some script that you have extracted, or are making the actual IP address and port arguments valid in some other way.