* Redirect in intranet using DNAT? @ 2003-11-16 10:43 Michael Feldmann 2003-11-16 11:22 ` Antony Stone 0 siblings, 1 reply; 3+ messages in thread From: Michael Feldmann @ 2003-11-16 10:43 UTC (permalink / raw) To: netfilter Hi all, How can I redirect traffic from one internal IP to another? My situation is as follows: I have two webservers in an Intranet, one on 192.168.0.1, port 80, the other on on 192.168.0.5 port 80. Each machine has only one ethernet card, attached to the same switch.Now I want to take away the first webserver In order to do this transparently, I thought of using a redirect rule. Thus, on 192.168.0.1 I tried the following commands: iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 --dport 80 -j DNAT --to 192.168.0.5:80 iptables -t nat -A PREROUTING -p udp -d 192.168.0.1 --dport 80 -j DNAT --to 192.168.0.5:80 For testing reasons, all the policies on both machines are set to ACCEPT. iptables -t nat -L -n yields: Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT udp -- 0.0.0.0/0 192.168.0.1 udp dpt:80 to:192.168.0.5:80 DNAT tcp -- 0.0.0.0/0 192.168.0.1 tcp dpt:80 to:192.168.0.5:80 Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination With these rules, I thought an attempt to reach 192.168.0.1:80 would lead me to 192.168.0.5:80. But it seems there are no packets arriving at 192.168.0.5:80 . Obviously, i seem to overlook something. But what? Thanks in advance Michael P.S. Sorry if this question has been posted twice. I am note sure if yesterday's posting has really reched the list. ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Redirect in intranet using DNAT? 2003-11-16 10:43 Redirect in intranet using DNAT? Michael Feldmann @ 2003-11-16 11:22 ` Antony Stone [not found] ` <200311161301.40525.m_feldmann@t-online.de> 0 siblings, 1 reply; 3+ messages in thread From: Antony Stone @ 2003-11-16 11:22 UTC (permalink / raw) To: netfilter On Sunday 16 November 2003 10:43 am, Michael Feldmann wrote: > Hi all, > > > How can I redirect traffic from one internal IP to another? My situation is > as follows: > > I have two webservers in an Intranet, one on 192.168.0.1, port 80, the > other on on 192.168.0.5 port 80. Each machine has only one ethernet > card, attached to the same switch.Now I want to take away the first > webserver In order to do this transparently, I thought of using a > redirect rule. The reason your redirect doesn't work is because the requests and replies don't go through the netfilter box - they're not being routed somewhere else - so it never sees the packets to modify the addresses. Example: client 192.168.0.42 tries to access server on 192.168.0.1, it's on the local network, so it does an ARP for 192.168.0.1, and nothing replies. Therefore the client says "server uncontactable". The client is never going to try going through a router (netfilter) to get to a local address. By the way, http does not use UDP - there's no need ever to translate UDP port 80 for a web server. I would suggest two better solutions to your requirement are: 1. Use DNS and access the server/s by name instead of IP - then you can make both names resolve to the same address, or different addresses, or change the addresses, as you shuffle your network around, and client machines don't need to know any different. 2. Add the old address to the new server, so one machine has both 192.168.0.1 and 192.168.0.5 on eth0 and will respond to requests sent to either address. There is a way of doing what you want with netfilter, but it is so horribly complicated and ugly (add false IP address to internal interface, apply both SNAT and DNAT rules in PREROUTING and POSTROUTING, resulting in the web server thinking all internal accesses come from the firewall) thaat I am not going to recommend it at all. Antony. -- The trouble with the French is that they don't have a word for 'entrepreneur'. - George W Bush, president of the United States of America Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <200311161301.40525.m_feldmann@t-online.de>]
* Re: : Redirect in intranet using DNAT? [not found] ` <200311161301.40525.m_feldmann@t-online.de> @ 2003-11-16 12:14 ` Antony Stone 0 siblings, 0 replies; 3+ messages in thread From: Antony Stone @ 2003-11-16 12:14 UTC (permalink / raw) To: netfilter On Sunday 16 November 2003 12:01 pm, Michael Feldmann wrote: > Am Sonntag, 16. November 2003 12:22 schrieb Antony Stone: > > > > I would suggest two better solutions to your requirement are: > > > > 1. Use DNS and access the server/s by name instead of IP - then you can > > make both names resolve to the same address, or different addresses, or > > change the addresses, as you shuffle your network around, and client > > machines don't need to know any different. > > > > 2. Add the old address to the new server, so one machine has both > > 192.168.0.1 and 192.168.0.5 on eth0 and will respond to requests sent to > > either address. > > If I see this correctly, would solution No 1 not imply that all client > machines use names instead of IPs? I am not too sure about that. Yes they would, and I personally think that is the better way to do things, because it allows you to move services from one machine to another very easily without disrupting your network configuration. > So, I think I will stick no No 2. However, as there are several services on > Server 192.168.0.1, which I cannot move all at once to 192.168.0.5, I guess > I will have to add _both_ addresses to _both_ servers and enable/disable > the resp. services in such a way that only one client answers. Could this > be a possible solution? No way! This would really screw up your network. Never put one IP address on more than one machine at the same time. You need to understand how IP, TCP and HTTP work together. When a client sends an HTTP request to a server, a packet is sent from the client's IP address to the server's IP address - if that address doesn't exist, the connection fails. Once the packet arrives at the server's IP address, it attempts to connect to a service running on TCP port 80 - if that service is not responding, the connection fails. Once the connection has been made to TCP port 80, the web server looks at the HTTP request and decides whether it can fulfil it - if the request is for something the server can't answer, the connection fails. At no point in any of the above steps is there a "if that didn't work, try something else instead" option. Basically, if you are moving your web server (but not other services) from one machine to another on your network, you should change the address the clients connect to for that service so they find the new machine. I believe the easiest way to do this is for the clients to use server names, and you just make one change in DNS. If you don't want to use DNS, then change the server IP address on each client that needs to connect to it. Antony. -- I love deadlines. I love the whooshing noise they make as they go by. - Douglas Noel Adams ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-11-16 12:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-16 10:43 Redirect in intranet using DNAT? Michael Feldmann
2003-11-16 11:22 ` Antony Stone
[not found] ` <200311161301.40525.m_feldmann@t-online.de>
2003-11-16 12:14 ` : " Antony Stone
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.