Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: iptables redirect

  1. #11
    Join Date
    Sep 2010
    Beans
    120

    Re: iptables redirect

    Just as a test I did this

    iptables -t nat -vnL
    Chain PREROUTING (policy ACCEPT 504 packets, 62767 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.150
    1 52 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.150
    0 0 DNAT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.150

    Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    then i tried to connect to http://192.168.2.154 which should have routed me to 192.168.2.150
    but is did not work either

  2. #12
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables redirect

    Looking at this again, if you are trying to connect from the machine that these rules are on, to some other machine, then you would need to put them in POSTROUTING instead of PREROUTING.

    Here's my handy dandy diagram of how the iptables flow works...

    PREROUTING will rewrite addresses for the interface specified coming into the machine and POSTROUTING will rewrite for packets on the way out. The routing table should direct to the correct interface based on IP address.
    Last edited by BkkBonanza; March 17th, 2011 at 08:25 AM.

  3. #13
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables redirect

    I just reviewed my own iptables rules on my router and one thing I noticed is that I have SNAT in the POSTROUTING chain to handle stuff going out to the net getting back to the local machine.

    It occurred to me that without a similar rule your requests may get to the server port 80 but not make it back to the originating machine without a reverse rule. (If your server log shows requests but they don't get back to the original browser... they may get dropped when coming back via the router).

    eg. if you want requests coming in on ppp0 to return correctly out ppp0 you may need

    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    or (but not both)

    iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to WANIP
    (where WANIP is the IP address of the ppp0 interface)

    I didn't notice this before because I'd not thought of the normal masquerading that my router does even when port forwarding isn't being used.
    Last edited by BkkBonanza; March 17th, 2011 at 08:45 AM.

  4. #14
    Join Date
    Sep 2010
    Beans
    120

    Re: iptables redirect

    I tried to settings earlier again with no luck, so i started tracing the problem & found that the virtual machine which is connected to the net is unable to ping the 192.168.2.150 web server O_o
    not sure why.

    The web server is able to ping the proxy server though.

  5. #15
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,819
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: iptables redirect

    Use traceroute to see where the connection dies.

    Often problems like this arise because routing is incorrectly configured on one end of the connection or the other. You should also check to make sure that IP forwarding is enabled in the kernel on all machines in the chain that have multiple interfaces. (If 'cat /proc/sys/net/ipv4/ip_forward' returns zero, forwarding is disabled. Read the comments in /etc/sysctl.conf to find out how to fix this.)

  6. #16
    Join Date
    Sep 2010
    Beans
    120

    Re: iptables redirect

    i re-installed the machine I am forwarding from again
    first thing i did was setup & check network to make sure it worked i can ping server everything works fine now.

    then i created the ppp0 connection, echo 1 > /proc/sys/net/ipv4/ip_forward, iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 192.168.2.150 and iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    tested & its not working :'(

    I removed iptables completely from the web server just in case but still no joy.

    root@route:/home/administrator# iptables -vnL
    Chain INPUT (policy ACCEPT 691 packets, 76184 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 3 packets, 152 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 201 packets, 49745 bytes)
    pkts bytes target prot opt in out source destination
    root@route:/home/administrator# iptables -t nat -vnL
    Chain PREROUTING (policy ACCEPT 1406 packets, 136K bytes)
    pkts bytes target prot opt in out source destination
    1 52 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:192.168.2.150

    Chain POSTROUTING (policy ACCEPT 1 packets, 52 bytes)
    pkts bytes target prot opt in out source destination
    0 0 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    root@route:/home/administrator# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    41.133.132.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
    root@route:/home/administrator#
    root@route:/home/administrator# cat /proc/sys/net/ipv4/ip_forward
    1
    root@route:/home/administrator#
    what could i be doing wrong??
    Last edited by viperce; March 18th, 2011 at 10:04 AM.

  7. #17
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables redirect

    Does the access log on the webserver show any hits from you? I'm curious if the request is getting there from the redirect. That output of the nat table shows 1406 packets accepted thru the redirect rule which means something was going thru there.

    They should appear in the log as though coming from the redirect machine (due to the masquerading the src IP gets changed). On the way back in theory it should get it's origin IP set back again.

    I also have the following two rules in my routing script, so maybe they are needed too.

    sudo iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

    but I thought the forwarding happens even without the rules and these just ensure it's replies only allowed in. But since it's not working it's worth testing these two. The --state condition is only needed to prevent non-reply traffic. ie. the first rule could be just like the second rule.

  8. #18
    Join Date
    Sep 2010
    Beans
    120

    Re: iptables redirect

    i found if i do echo 1 > /proc/sys/net/ipv4/ip_forward, iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.150 and iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    then connect to http://192.168.2.153 (new forwarding pc ip) it routes me to the webserver but if i change it to ppp0 it does not work

  9. #19
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: iptables redirect

    If you're doing that within your own network then it would make sense. I'm not sure just what the network layout is there. I'd assumed you had outside requests coming via ppp0 that you wanted to go to the web server. That's why the suggested rule grabs packets on ppp0. But yes, if you are within the network (connected to eth0) and send a request it wouldn't be coming into the redirect machine on ppp0 but on eth0.

    If you change the rule to not have -i (interface) option at all then it should redirect any traffic regardless of where it comes from, based on only the dest port being 80. I guess it depends what you intend.

  10. #20
    Join Date
    Sep 2010
    Beans
    120

    Re: iptables redirect

    i tried to
    echo 1 > /proc/sys/net/ipv4/ip_forward
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.2.150
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i eth0 -o ppp0 -j ACCEPT

    and it still does not work on ppp0 works fine on the local LAN but not externally

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •