From: Bas Verhoeven <netfilter@bserved.nl>
To: netfilter@lists.netfilter.org
Subject: iptables NAT routing issues
Date: Tue, 08 May 2007 23:16:03 +0200 [thread overview]
Message-ID: <4640E893.1010206@bserved.nl> (raw)
Hello,
We're having some problems with iptables, have been playing ~3 hours
with this and I need some advice.
We want to 'forward' port 80 from one ip to another ip (other server) -
mainly to protect the webserver. One could say that you could use basic
portforwarding for this, but as far as i know this also breaks the
source ip for apache logs, etc. So we decided that we needed NAT'ing.
On the 'outbound' server we're doing DNAT to the webserver, which seems
to work fine (can see the packets in tcpdump on web), and on the
webserver we do SNAT back to the 'original' (outboundserver) ip the user
connected to.
The last part does not work tho, the webserver still uses its own
outgoing ip, and not the IP we specified. If I telnet to some host
however, using the webserver source ip - it DOES rewrite the source
address (and fails to connect, of course).
Tried various iptables commands on the servers:
OUTBOUND SERVER:
iptables -t nat -A PREROUTING -p tcp --dport 80 -d <ext_web_ip> -j DNAT
--to-destination <webserver_ip>:80
Note: We didn't touch this as it seems to works fine.
WEBSERVER:
Tried various, from the detailed:
iptables -t nat -A POSTROUTING -s <webserver_ip>-p tcp --sport 80 -j
SNAT --to-source <ext_web_ip>:80 -o eth0
To the 'should-be-catching-it-all':
iptables -t nat -A POSTROUTING -s <webserver_ip> -j SNAT --to-source
<ext_web_ip>
None of those seem to do the thing we want to do tho.
Some advice would be very welcome.
Cheers,
Bas Verhoeven
next reply other threads:[~2007-05-08 21:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-08 21:16 Bas Verhoeven [this message]
2007-05-08 22:25 ` iptables NAT routing issues Jan Engelhardt
2007-05-08 22:33 ` Pascal Hambourg
2007-05-08 22:37 ` Jan Engelhardt
2007-05-08 22:46 ` Bas Verhoeven
2007-05-08 22:48 ` Maximilian Wilhelm
2007-05-08 23:03 ` Pascal Hambourg
2007-05-10 14:21 ` Bas Verhoeven
2007-05-10 19:31 ` Pascal Hambourg
2007-05-10 20:06 ` Bas Verhoeven
2007-05-10 22:14 ` Pascal Hambourg
2007-05-08 22:37 ` Maximilian Wilhelm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4640E893.1010206@bserved.nl \
--to=netfilter@bserved.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.