iptable PREROUTING questions 1

[stfaprc]

Running RH FC4.
I want to redirect requests to local port 8080 to another server's port 80 (which is working). I tried:
echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.1.53:80

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 8080 -j LOG --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options

-----
when i try accessing 8080 with a browser, nothing seems to happen and eventually the browser times out.
The only lines showing in messages log on the server is:
Oct 11 15:01:02 ls2 kernel: Removing netfilter NETLINK layer.
Oct 11 15:01:03 ls2 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Oct 11 15:01:03 ls2 kernel: Netfilter messages via NETLINK v0.30.
Oct 11 15:01:03 ls2 kernel: ip_conntrack version 2.4 (1920 buckets, 15360 max) - 224 bytes per conntrack
-----
Questions: what is the proper syntax for redirecting to the other server?

I may not know the interface number at all times - How can I get iptable to listen for a specific local ipaddress ?

How can I have the log entries go to a file other than the "messages" log file?

Thanks.

 

[zeland]

Your PREROUTING syntax seem a bit vague. It should be more like:

iptables -A PREROUTING -t nat -i [i]EXT_IF[/i] -p tcp -d [i]EXT_IP[/i] --dport   80 -j DNAT --to-destination 192.168.1.53:80

EXT_IF = Incoming interface
EXT_IP = Router IP

Once we have changed the information for the incoming packet, we need to allow it through

iptables -A FORWARD -i [i]EXT_IF[/i] -p tcp -d 192.168.1.53 --dport 80 -j ACCEPT

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[stfaprc]

Can I use an ip address instead of "-i EXT_IF" ?

So to do this redirection I need to have 3 iptable commands:
PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.1.53:80

PREROUTING -p tcp --dport 8080 -j LOG --log-prefix "PREROUTING: " --log-tcp-options --log-ip-options

FORWARD -p tcp -d 192.168.1.53 --dport 80 -j ACCEPT
?

 

[zeland]

Can I use an ip address instead of "-i EXT_IF" ?

No, -i must be an interface name, i.e. eth0, eth1.

So to do this redirection I need to have 3 iptable commands

Technically you only need 2. I'm not sure you can have logging at the PRE/POSTROUTING sections. You could however log it at the FORWARD section.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[stfaprc]

hmm, than it seems that I am going about this the wrong way.

Situation:
we are using simpleproxy to redirect ports on specific ip address to another pc
(ie: simpleproxy -L 10.10.10.11:80 -R 192.168.1.58:80 -d)

It works fine, except that the target server sees the requests as coming from 10.10.10.11 and putting that in the web logs, whereas we want to see the real originating address
(ie: 255.001.001.257) in the web logs of the target server.

 

[zeland]

...we want to see the real originating address

That is not possible. By nature of their design, proxies (as opposed to routers) don't forward the original connection request but instead initiates a separate connection to the destination, retrieving related information and storing it in its cache, hence the name proxy.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--