LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Question about ip/port redirection (https://www.linuxquestions.org/questions/linux-networking-3/question-about-ip-port-redirection-786491/)

rvn2k2 02-02-2010 12:59 PM
Question about ip/port redirection
 
Hey guys.. I've got a question, I have "Server A" with real internet ip 1.2.3.4 (eth0) and lan ip 192.168.1.1 (eth1)
There's also "Server B" with lan ip 192.168.1.2 (eth0), I'm running an Apache Web server on "Server B", so I want to redirect all traffic from IP 1.2.3.4 port 80 (Server A) to 192.168.1.2 port 80 (Server B), using the following rule:


Code:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80
This actually works pretty good, from internet I can browse ttp://1.2.3.4
But the problem is that if I check the Apache logs, all incoming connections seems to come from 192.168.1.1 instead of showing the real source ip addresses (internet ip's) so this is screwing up all my web stats, I've been looking for hours and hours on how to make a transparent redirect, but can't find any info, I know there must be a way because my old WRT54G router which uses iptables could do it.

Please help, thanks :)

nimnull22 02-02-2010 01:27 PM
What did you expect? You used NAT chain, nat will change IP, it can't do it different way.
You need bridge, to keep original IP.

rvn2k2 02-02-2010 01:31 PM
I'm not very good at this, could you give me an example to accomplish what I need? pleeeeease :D

sparc86 02-02-2010 01:53 PM
You want to use PREROUTING.

This link might be helpful:

http://ha.redhat.com/docs/manuals/en...rerouting.html

nimnull22 02-02-2010 02:15 PM
Bridge will send everything from one eth to other, and I do not really know if it is possible to separate something to local process.
The only way, I think, is to give real IP to server "b" with Apache, and filter only port 80 for it.

rvn2k2 02-02-2010 02:30 PM
Already using PREROUTING in my rule..

Now the million dollar question, is how come CISCO routers, cheap routers (d-link, linksys, etc) and even software firewalls like pFsense, can do this trick?

:)

nimnull22 02-02-2010 02:41 PM
Wait a second. I am also behind 3 NATs, but I can see sources addresses.

nimnull22 02-02-2010 02:54 PM
You know try to remove
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

Leave only:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80

echo 1 > /proc/sys/net/ipv4/ip_forward

nimnull22 02-02-2010 02:56 PM
And MASQUERADE is not good, better to use SNAT. But it is latter.

nimnull22 02-02-2010 03:02 PM
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <YOUR_REAL_IP>


This should be better.

rvn2k2 02-02-2010 07:01 PM
So the line should be this?
Because it didn't even open the port

iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80

echo 1 > /proc/sys/net/ipv4/ip_forward

nimnull22 02-02-2010 07:25 PM
Can you post output of:
iptables-save

Thanks

And check, may be you have some filters on Apache

sparc86 02-02-2010 07:56 PM
Try it:

Quote:
#telnet $ip_address 80
in order to test if the port 80 is opened.


All times are GMT -5. The time now is 04:04 AM.