routing all HTTP requests to my own web server

routing all HTTP requests to my own web server

[Jeremy Pullicino]

Hi,

I would like to route all outbound HTTP requests to my own HTTP server.

After consulting with the docs and online tutorials I came up with the
command below:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 192.168.11.100

Is this the correct way to do it?

Any advice will be really appreciated.

Thanks,
Jeremy Pullicino

Re: routing all HTTP requests to my own web server

[Grant Taylor]

On 10/17/08 12:40, Jeremy Pullicino wrote:
> After consulting with the docs and online tutorials I came up with 
> the command below:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 
> 192.168.11.100
> 
> Is this the correct way to do it?

That is the first part of it.  You will also need to SNAT the traffic.

> Any advice will be really appreciated.

Look through the archive for this mailing list, or better search it, for 
what I refer to as the "TCP Triangle".

I think the most recent thread that this was discussed had a subject of 
"Different kind of transparent proxy".

Also, you may find Jan Engelhardt's TCP Triangle image explains it well.

    http://jengelh.hopto.org/images/dnat-mistake.png



Grant. . . .

Re: routing all HTTP requests to my own web server

[Jeremy Pullicino]

Thanks Grant - I understand exactly what you mean.

To solve the TCP Triangle problem I should probably add this rule
(192.168.11.1 is the local machine):

iptables –t nat –A POSTROUTING -p tcp --sport 80 –j SNAT –-to 192.168.11.1

Would that be correct?

Thanks for your advice.

Jeremy.

On Fri, Oct 17, 2008 at 7:57 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> On 10/17/08 12:40, Jeremy Pullicino wrote:
>>
>> After consulting with the docs and online tutorials I came up with the
>> command below:
>>
>> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT 192.168.11.100
>>
>> Is this the correct way to do it?
>
> That is the first part of it.  You will also need to SNAT the traffic.
>
>> Any advice will be really appreciated.
>
> Look through the archive for this mailing list, or better search it, for
> what I refer to as the "TCP Triangle".
>
> I think the most recent thread that this was discussed had a subject of
> "Different kind of transparent proxy".
>
> Also, you may find Jan Engelhardt's TCP Triangle image explains it well.
>
>   http://jengelh.hopto.org/images/dnat-mistake.png
>
>
>
> Grant. . . .
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: routing all HTTP requests to my own web server

[Grant Taylor]

On 10/17/08 13:29, Jeremy Pullicino wrote:
> Thanks Grant - I understand exactly what you mean.

*nod*

> To solve the TCP Triangle problem I should probably add this rule 
> (192.168.11.1 is the local machine):
> 
> iptables –t nat –A POSTROUTING -p tcp --sport 80 –j SNAT –-to
> 192.168.11.1
> 
> Would that be correct?

I would not use an "sport" match.  I would match on "dport".  Remember 
that client TCP connections can come from any port between 1024 and 
65535.  However seeing as how it is going to your proxy server on a 
specific port I'd match on that.  I'd probably also match on your proxy 
server's destination IP.

> Thanks for your advice.

You are welcome.