Need help configuring iptables NAT
Hello!
I have linux box connected to internet and have static ip addres $A1; Linux box runs web server listening on port $P1. I want configure iptables to redirect http requests from linux box to particular addresses in internet (say $A2) to local web server on port $P1; For example when user on linux box hits google.com in browser he sees google.com, but when he hits http://$A2 he sees actually $A1:$P1. Linux box is very short on RAM and I cant run squid on it. |
You can achieve this effect for the browser running on your Linux box, by putting a rule like this into your iptables nat chain
Code:
#iptables -t nat -A PREROUTING -d{$A2} -j DNAT --to-destination {$A1}:{$P1} If this linux box is really short of memory, though, and you are running a browser on it, you are bound to have troubles (or at least slowness) when browsing. It would seem with the price of memory these days, it would be a good investment to add memory. If, on the other hand, you want to have the linux box redirect requests coming from behind the box (from local computers), that same iptables rule will work, but you will need to make sure that the other boxes specify their default route as the linux box in question. |
Quote:
Quote:
|
hello,
Quote:
you can achieve your goal using either : - that LVS or - simply basic remote web root directory on $A2 web server pointing to $A1 web root - http reversed proxy and its not that easy of course. HTH. |
You are correct; the PREROUTING chain is only consulted for packets arriving from other hosts. According to the manpage for iptables, though, the nat table also contains an OUTPUT chain, into which you can put the same rule in order to redirect locally-generated packets. Sorry for the incompleteness of my previous posting; it was late, and I am on the road, where I cannot so easily consult all the data I normally have at my fingertips.
Once you pass this hurdle, the PREROUTING chain is the right place to put any rules that are intended to redirect traffic passing through the boundary machine. |
I'm trying this rule and it says: "Target problem"
Code:
iptables -t nat -I OUTPUT 1 -p tcp -d $A2 --dport 80 -j DNAT --to $A1:$P1 |
Unfortunately, iptables is not as discerning as you might like about its arguments. You need to specify --to-destination in the command where you used --to. And I am assuming that you either are supplying $A1, $A2, and $P1 as variables to some script that you have extracted, or are making the actual IP address and port arguments valid in some other way.
|
All times are GMT -5. The time now is 09:29 PM. |