Question about ip/port redirection
Hey guys.. I've got a question, I have "Server A" with real internet ip 1.2.3.4 (eth0) and lan ip 192.168.1.1 (eth1)
There's also "Server B" with lan ip 192.168.1.2 (eth0), I'm running an Apache Web server on "Server B", so I want to redirect all traffic from IP 1.2.3.4 port 80 (Server A) to 192.168.1.2 port 80 (Server B), using the following rule: Code:
iptables -P FORWARD ACCEPT But the problem is that if I check the Apache logs, all incoming connections seems to come from 192.168.1.1 instead of showing the real source ip addresses (internet ip's) so this is screwing up all my web stats, I've been looking for hours and hours on how to make a transparent redirect, but can't find any info, I know there must be a way because my old WRT54G router which uses iptables could do it. Please help, thanks :) |
What did you expect? You used NAT chain, nat will change IP, it can't do it different way.
You need bridge, to keep original IP. |
I'm not very good at this, could you give me an example to accomplish what I need? pleeeeease :D
|
You want to use PREROUTING.
This link might be helpful: http://ha.redhat.com/docs/manuals/en...rerouting.html |
Bridge will send everything from one eth to other, and I do not really know if it is possible to separate something to local process.
The only way, I think, is to give real IP to server "b" with Apache, and filter only port 80 for it. |
Already using PREROUTING in my rule..
Now the million dollar question, is how come CISCO routers, cheap routers (d-link, linksys, etc) and even software firewalls like pFsense, can do this trick? :) |
Wait a second. I am also behind 3 NATs, but I can see sources addresses.
|
You know try to remove
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Leave only: iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80 echo 1 > /proc/sys/net/ipv4/ip_forward |
And MASQUERADE is not good, better to use SNAT. But it is latter.
|
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <YOUR_REAL_IP>
This should be better. |
So the line should be this?
Because it didn't even open the port iptables -P FORWARD ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 1.2.3.4 iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80 echo 1 > /proc/sys/net/ipv4/ip_forward |
Can you post output of:
iptables-save Thanks And check, may be you have some filters on Apache |
Try it:
Quote:
|
All times are GMT -5. The time now is 04:04 AM. |