* Redirect in intranet using DNAT?
@ 2003-11-16 10:43 Michael Feldmann
2003-11-16 11:22 ` Antony Stone
0 siblings, 1 reply; 3+ messages in thread
From: Michael Feldmann @ 2003-11-16 10:43 UTC (permalink / raw)
To: netfilter
Hi all,
How can I redirect traffic from one internal IP to another? My situation is as
follows:
I have two webservers in an Intranet, one on 192.168.0.1, port 80, the
other on on 192.168.0.5 port 80. Each machine has only one ethernet
card, attached to the same switch.Now I want to take away the first
webserver In order to do this transparently, I thought of using a
redirect rule.
Thus, on 192.168.0.1 I tried the following commands:
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 80 -j DNAT
--to 192.168.0.5:80
iptables -t nat -A PREROUTING -p udp -d 192.168.0.1 --dport 80 -j DNAT
--to 192.168.0.5:80
For testing reasons, all the policies on both machines are set to ACCEPT.
iptables -t nat -L -n yields:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:80
to:192.168.0.5:80
DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:80
to:192.168.0.5:80
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
With these rules, I thought an attempt to reach 192.168.0.1:80 would
lead me to 192.168.0.5:80. But it seems there are no packets arriving at
192.168.0.5:80 .
Obviously, i seem to overlook something. But what?
Thanks in advance
Michael
P.S. Sorry if this question has been posted twice. I am note sure if
yesterday's posting has really reched the list.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Redirect in intranet using DNAT?
2003-11-16 10:43 Redirect in intranet using DNAT? Michael Feldmann
@ 2003-11-16 11:22 ` Antony Stone
[not found] ` <200311161301.40525.m_feldmann@t-online.de>
0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2003-11-16 11:22 UTC (permalink / raw)
To: netfilter
On Sunday 16 November 2003 10:43 am, Michael Feldmann wrote:
> Hi all,
>
>
> How can I redirect traffic from one internal IP to another? My situation is
> as follows:
>
> I have two webservers in an Intranet, one on 192.168.0.1, port 80, the
> other on on 192.168.0.5 port 80. Each machine has only one ethernet
> card, attached to the same switch.Now I want to take away the first
> webserver In order to do this transparently, I thought of using a
> redirect rule.
The reason your redirect doesn't work is because the requests and replies
don't go through the netfilter box - they're not being routed somewhere else
- so it never sees the packets to modify the addresses.
Example: client 192.168.0.42 tries to access server on 192.168.0.1, it's on
the local network, so it does an ARP for 192.168.0.1, and nothing replies.
Therefore the client says "server uncontactable". The client is never going
to try going through a router (netfilter) to get to a local address.
By the way, http does not use UDP - there's no need ever to translate UDP
port 80 for a web server.
I would suggest two better solutions to your requirement are:
1. Use DNS and access the server/s by name instead of IP - then you can make
both names resolve to the same address, or different addresses, or change the
addresses, as you shuffle your network around, and client machines don't need
to know any different.
2. Add the old address to the new server, so one machine has both 192.168.0.1
and 192.168.0.5 on eth0 and will respond to requests sent to either address.
There is a way of doing what you want with netfilter, but it is so horribly
complicated and ugly (add false IP address to internal interface, apply both
SNAT and DNAT rules in PREROUTING and POSTROUTING, resulting in the web
server thinking all internal accesses come from the firewall) thaat I am not
going to recommend it at all.
Antony.
--
The trouble with the French is that they don't have a word for 'entrepreneur'.
- George W Bush, president of the United States of America
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: : Redirect in intranet using DNAT?
[not found] ` <200311161301.40525.m_feldmann@t-online.de>
@ 2003-11-16 12:14 ` Antony Stone
0 siblings, 0 replies; 3+ messages in thread
From: Antony Stone @ 2003-11-16 12:14 UTC (permalink / raw)
To: netfilter
On Sunday 16 November 2003 12:01 pm, Michael Feldmann wrote:
> Am Sonntag, 16. November 2003 12:22 schrieb Antony Stone:
> >
> > I would suggest two better solutions to your requirement are:
> >
> > 1. Use DNS and access the server/s by name instead of IP - then you can
> > make both names resolve to the same address, or different addresses, or
> > change the addresses, as you shuffle your network around, and client
> > machines don't need to know any different.
> >
> > 2. Add the old address to the new server, so one machine has both
> > 192.168.0.1 and 192.168.0.5 on eth0 and will respond to requests sent to
> > either address.
>
> If I see this correctly, would solution No 1 not imply that all client
> machines use names instead of IPs? I am not too sure about that.
Yes they would, and I personally think that is the better way to do things,
because it allows you to move services from one machine to another very
easily without disrupting your network configuration.
> So, I think I will stick no No 2. However, as there are several services on
> Server 192.168.0.1, which I cannot move all at once to 192.168.0.5, I guess
> I will have to add _both_ addresses to _both_ servers and enable/disable
> the resp. services in such a way that only one client answers. Could this
> be a possible solution?
No way! This would really screw up your network. Never put one IP address
on more than one machine at the same time.
You need to understand how IP, TCP and HTTP work together.
When a client sends an HTTP request to a server, a packet is sent from the
client's IP address to the server's IP address - if that address doesn't
exist, the connection fails. Once the packet arrives at the server's IP
address, it attempts to connect to a service running on TCP port 80 - if that
service is not responding, the connection fails. Once the connection has
been made to TCP port 80, the web server looks at the HTTP request and
decides whether it can fulfil it - if the request is for something the server
can't answer, the connection fails.
At no point in any of the above steps is there a "if that didn't work, try
something else instead" option.
Basically, if you are moving your web server (but not other services) from
one machine to another on your network, you should change the address the
clients connect to for that service so they find the new machine. I believe
the easiest way to do this is for the clients to use server names, and you
just make one change in DNS. If you don't want to use DNS, then change the
server IP address on each client that needs to connect to it.
Antony.
--
I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Noel Adams
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-11-16 12:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-16 10:43 Redirect in intranet using DNAT? Michael Feldmann
2003-11-16 11:22 ` Antony Stone
[not found] ` <200311161301.40525.m_feldmann@t-online.de>
2003-11-16 12:14 ` : " Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.