Port redirecting with IPtables

tquang · 06-01-2012, 09:11 PM

I have 1 server is still running with web service and reverse proxy service. My server also have 2 IPs.

Web service with port: 80
Reverse proxy service with port: 6060
IP: 1.2.3.4 and 5.6.7.8

So, I want config with iptables to redirect port, example:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 ! -s 1.2.3.4 -j REDIRECT --to-ports 6060
iptables -t nat -A PREROUTING -p tcp --dport 80 ! -s 5.6.7.8 -j REDIRECT --to-ports 6060

But, problem will occured: if first run config like that, second rule not work. Because first rule detect and redirect to: 1.2.3.4:6060
Yes, it's time second rule not effective.

I don't want to re-config web service to listen other port.

Thank all read.

Ser Olmy · 06-02-2012, 03:34 PM

Quote:

Originally Posted by tquang

So, I want config with iptables to redirect port, example:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 80 ! -s 1.2.3.4 -j REDIRECT --to-ports 6060
iptables -t nat -A PREROUTING -p tcp --dport 80 ! -s 5.6.7.8 -j REDIRECT --to-ports 6060

The first rule says "redirect incoming traffic where the destination port is 80 and the source address is not 1.2.3.4 to port 6060 on this system". As 1.2.3.4 is one of the addresses assigned to that same system, the rule does not make sense. It will apply to all incoming traffic, as you've discovered.

You mention that you're running a web server on port 80. Should this server be accessed directly rather than through the proxy service? If so, and if 1.2.3.4 is assigned to eth0 and 5.6.7.8 to eth1, this should work:

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 ! -d 1.2.3.4 -j REDIRECT --to-ports 6060
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 ! -d 5.6.7.8 -j REDIRECT --to-ports 6060

Remember, you don't have to worry about locally generated traffic in the PREROUTING chain, as such packets never traverse it but instead go straight to the OUTPUT chain.