RE: redirection

RE: redirection

[dhiraj.2.bhuyan]

try one thing - flush all rules and add the rule
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination x.y.z.2:80

I have a feeling that you are doing something in the POSTROUTING chain which
is why you are not getting the right result. Or maybe you have a rule to
drop the packet defined?

dhiraj

-----Original Message-----
From: xchris [mailto:lyra@fastwebnet.it]
Sent: 09 April 2003 09:14
To: Bhuyan,D,Dhiraj,XVR3A C; netfilter@lists.netfilter.org
Subject: Re: redirection


On Wednesday 09 April 2003 10:40 am, you wrote:
> You do infact need DNAT and not SNAT
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
> --to-destination x.y.z.2:80
>
> this should work.


I tried but all connections go in timeout.
I first flushed every chain,set default policy everywhere,and then added
DNAT 
rule...

no result...

The strange thing is :
if i DNAT on another interface everything is ok.
if i DNAT through the incoming connection interface... it fails.

strange...
I think i miss something..
Thank you
Chris

Re: redirection

[xchris]

On Wednesday 09 April 2003 12:03 pm, dhiraj.2.bhuyan@bt.com wrote:
> try one thing - flush all rules and add the rule
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
> --to-destination x.y.z.2:80
>
> I have a feeling that you are doing something in the POSTROUTING chain
> which is why you are not getting the right result. Or maybe you have a rule
> to drop the packet defined?
>

nope.

i flushed everithing!
all tables cleared.

i added only the DNAT line...
but it still doesn't work.
thank you

P.S.:I don't understand why if i use an ip of another interface it works. (a 
classic DNAT to dmz)

Redirection

[Sasa Stupar]

Hi!

I have setup router with iptables. Now I have also setup a squid proxy 
server on another internal machine. What I want is to all http requests 
from internal LAN to send thru proxy.
Since I am new to iptables I am asking here for some help.
How can I do that?

Thanks,
Sasa

Re: Redirection

[Antony Stone]

On Friday 27 February 2004 12:08 pm, Sasa Stupar wrote:

> Hi!
>
> I have setup router with iptables. Now I have also setup a squid proxy
> server on another internal machine. What I want is to all http requests
> from internal LAN to send thru proxy.
> Since I am new to iptables I am asking here for some help.
> How can I do that?

http://en.tldp.org/HOWTO/TransparentProxy-6.html

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Redirection

[Sasa Stupar]

[-- Attachment #1: Type: text/plain, Size: 1629 bytes --]

OK, I have read it and apply it for me BUT now I have the case that some 
pages won't load. I get this error from squid:
---------


  ERROR


    The requested URL could not be retrieved

------------------------------------------------------------------------

While trying to retrieve the URL: 
/ssc/home.asp?j=1&langid=us&venid=sym&plfid=22&pkj=QZVTFIZTYMWPAZTJWUF 
<http://security1.norton.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=22&pkj=QZVTFIZTYMWPAZTJWUF> 


The following error was encountered:

    * * Invalid URL *

Some aspect of the requested URL is incorrect. Possible problems:

    * Missing or incorrect access protocol (should be `http://'' or
      similar)
    * Missing hostname
    * Illegal double-escape in the URL-Path
    * Illegal character in hostname; underscores are not allowed

Your cache administrator is root <mailto:root>.
---------------------------------
I can't access a site like www.yahoo.com
What could be the problem here?

Thanx,
Sasa



Tomasz Macioszek pravi:

>Hi
>Read this howto:
>http://en.tldp.org/HOWTO/TransparentProxy.html
>
>Tomek
>
>----- Original Message ----- 
>From: "Sasa Stupar" <sasa@stupar.homelinux.net>
>To: "Netfilter-List" <netfilter@lists.netfilter.org>
>Sent: Friday, February 27, 2004 1:08 PM
>Subject: Redirection
>
>
>  
>
>>Hi!
>>
>>I have setup router with iptables. Now I have also setup a squid proxy 
>>server on another internal machine. What I want is to all http requests 
>>from internal LAN to send thru proxy.
>>Since I am new to iptables I am asking here for some help.
>>How can I do that?
>>
>>Thanks,
>>Sasa
>>
>>
>>
>>    
>>
>
>  
>


[-- Attachment #2: Type: text/html, Size: 2532 bytes --]

Re: Redirection

[Sasa Stupar]

Nevermind, I have solved the issue...I didn't configure the squid right. 
Now it is working.

Thank you all for the help,
Sasa

RE: redirection

[dhiraj.2.bhuyan]

note one thing -

when the client tries to connect to port 80 of x.y.z.1, the firewall in
x.y.z.1 redirects the traffic to x.y.z.2:80

so the client will be receiving packets from x.y.z.2:80 - which is not what
it is expecting. It is waiting for packets from x.y.z.1:80 - so it will no
doubt timeout. You should be able to see the packets coming from x.y.z.2:80
by running a sniffer on the client machine.

I think Eric Joe did infact give the right solution - that x.y.z.1 will be
working as a proxy between the client and x.y.z.2 - although you can
question if you are achieving your "loadbalancing" by this.


dhiraj

-----Original Message-----
From: xchris [mailto:lyra@fastwebnet.it]
Sent: 08 April 2003 23:17
To: netfilter@lists.netfilter.org
Subject: Re: redirection



----- Original Message -----
From: "Eric Joe" <sysop@tje1.com>


> I didnt catch the fact that you need the source address. Are you tracking
> this for a reason? You can probably have iptables log the source address.
> This does in fact work, been using it for  about 6 months now. Let me post
> my exact rules (IPs are obsfucated)

i need it because i'm trying to do a simple load balancing between 2 local
servers running opennap.
(and opennap needs to know the IP address otherwise downloads dont start)
thnak you

xchris

Re: redirection

[Christian Cernuschi]

On Wednesday 09 April 2003 03:10 pm, dhiraj.2.bhuyan@bt.com wrote:
> note one thing -
>
> when the client tries to connect to port 80 of x.y.z.1, the firewall in
> x.y.z.1 redirects the traffic to x.y.z.2:80
>
> so the client will be receiving packets from x.y.z.2:80 - which is not what
> it is expecting. It is waiting for packets from x.y.z.1:80 - so it will no
> doubt timeout. You should be able to see the packets coming from x.y.z.2:80
> by running a sniffer on the client machine.
>
> I think Eric Joe did infact give the right solution - that x.y.z.1 will be
> working as a proxy between the client and x.y.z.2 - although you can
> question if you are achieving your "loadbalancing" by this.
>

exactly...
it's the same conclusion i arrived..

The solution (also for source adress keeping) is to masquerade the destination 
machine under the first one!

The destination machine must not reside "under" the first.It can also be at 
the same level (read attached to the same switch) but needs to have the first 
machine as gateway. (so MASQ rules works)

Doing in this way should work everything!!
Thank you again (i liked to study this...)
xchris


						

Re: redirection

[xchris]

On Wednesday 09 April 2003 03:34 pm, Christian Cernuschi wrote:
> On Wednesday 09 April 2003 03:10 pm, dhiraj.2.bhuyan@bt.com wrote:
> > note one thing -
> >
> > when the client tries to connect to port 80 of x.y.z.1, the firewall in
> > x.y.z.1 redirects the traffic to x.y.z.2:80
> >
> > so the client will be receiving packets from x.y.z.2:80 - which is not
> > what it is expecting. It is waiting for packets from x.y.z.1:80 - so it
> > will no doubt timeout. You should be able to see the packets coming from
> > x.y.z.2:80 by running a sniffer on the client machine.
> >
> > I think Eric Joe did infact give the right solution - that x.y.z.1 will
> > be working as a proxy between the client and x.y.z.2 - although you can
> > question if you are achieving your "loadbalancing" by this.
>
 exactly...
 it's the same conclusion i arrived..

 The solution (also for source adress keeping) is to masquerade the
 destination machine under the first one!

 The destination machine must not reside "under" the first.It can also be at
 the same level (read attached to the same switch) but needs to have the
 first machine as gateway. (so MASQ rules works)

 Doing in this way should work everything!!
 Thank you again (i liked to study this...)
xchris

Redirection

[Simone Sestini]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

Hi all.. i have a situation where i need to use iptables..

I have a public www with some virtual hosts on a machine with public ip 
2.2.2.2.
I have with another provider a second server with public ip 1.1.1.1

On dns server i wrote that intra.pippo.foo has address 1.1.1.1 so all the 
internet request come to machine 1.1.1.1 port 80.
I want that the server 1.1.1.1 redirects all the call on port 80 and 443 to 
the server 2.2.2.2 in transparent mode.. i don't want end user to know that 
datas are over server 2.2.2.2.

Naturally the www server on 2.2.2.2 listen on port 80 for intra.pippo.foo

How can i menage the packets with iptables for do that ?

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

Simone Sestini [ SS971-RIPE ]

Plug IT s.p.a. - Technical Office
Via Galileo Ferraris 216
52100 Arezzo

Titles:
System and Network Administrator
Data Transmission Manager

Fax             +39-199-4400-88
E-mail  simone.sestini@plugit.net
Web             http://www.plugit.it

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[-- Attachment #2: Type: text/html, Size: 1727 bytes --]

RE: redirection

[dhiraj.2.bhuyan]

You do infact need DNAT and not SNAT

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
--to-destination x.y.z.2:80

this should work.
dhiraj


-----Original Message-----
From: xchris [mailto:lyra@fastwebnet.it]
Sent: 08 April 2003 23:17
To: netfilter@lists.netfilter.org
Subject: Re: redirection



----- Original Message -----
From: "Eric Joe" <sysop@tje1.com>


> I didnt catch the fact that you need the source address. Are you tracking
> this for a reason? You can probably have iptables log the source address.
> This does in fact work, been using it for  about 6 months now. Let me post
> my exact rules (IPs are obsfucated)

i need it because i'm trying to do a simple load balancing between 2 local
servers running opennap.
(and opennap needs to know the IP address otherwise downloads dont start)
thnak you

xchris

Re: redirection

[xchris]

On Wednesday 09 April 2003 10:40 am, you wrote:
> You do infact need DNAT and not SNAT
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT
> --to-destination x.y.z.2:80
>
> this should work.


I tried but all connections go in timeout.
I first flushed every chain,set default policy everywhere,and then added DNAT 
rule...

no result...

The strange thing is :
if i DNAT on another interface everything is ok.
if i DNAT through the incoming connection interface... it fails.

strange...
I think i miss something..
Thank you
Chris

redirection

[xchris]

i'd like to do this:

i have 2 pc  
x.y.z.1
x.y.z.2

i would like to redirect connection on port 80 of x.y.z.1 to port 80 of 
x.y.z.2

i tried with DNAT but when someone tries to connect it goes in timeout?

Is there a solution?

Thank you
Chris

Re: redirection

[Eric Joe]

On Tue, 8 Apr 2003, xchris wrote:

> i'd like to do this:
> 
> i have 2 pc  
> x.y.z.1
> x.y.z.2
> 
> i would like to redirect connection on port 80 of x.y.z.1 to port 80 of 
> x.y.z.2
> 
> i tried with DNAT but when someone tries to connect it goes in timeout?

Do this


iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d x.y.z.1 -j DNAT 
--to x.y.z.2:80

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.z.1


I use a line similar to this to reroute non-local traffic to a different 
web server then our local users.


Eric

Re: redirection

[xchris]

On Tuesday 08 April 2003 08:44 pm, Eric Joe wrote:

> Do this
>
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d x.y.z.1 -j DNAT
> --to x.y.z.2:80
>
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.z.1

am i wrong or i loose the original connection source address?

if i check the log in x.y.z.2 i see connections from x.y.z.1.
I really need to preserve the source address.
Thank you very much
xchris

Re: redirection

[Eric Joe]

I didnt catch the fact that you need the source address. Are you tracking
this for a reason? You can probably have iptables log the source address.
This does in fact work, been using it for  about 6 months now. Let me post
my exact rules (IPs are obsfucated)

iptables -t nat -A PREROUTING -i eth0 -s 192.168.1.0/24 -p tcp --dport 80
-d 192.168.1.7 -j DNAT --to 192.168.1.7

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d 192.168.1.7 -j
DNAT --to 192.168.1.11:80
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.7


Regards
Eric






-- 
Eric Joe
Network Operations
Journey's End Internet/Computer Connection Inc

> On Tuesday 08 April 2003 08:44 pm, Eric Joe wrote:
>
>> Do this
>>
>>
>> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d x.y.z.1 -j
>> DNAT --to x.y.z.2:80
>>
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.z.1
>
> am i wrong or i loose the original connection source address?
>
> if i check the log in x.y.z.2 i see connections from x.y.z.1.
> I really need to preserve the source address.
> Thank you very much
> xchris

Re: redirection

[xchris]

----- Original Message -----
From: "Eric Joe" <sysop@tje1.com>


> I didnt catch the fact that you need the source address. Are you tracking
> this for a reason? You can probably have iptables log the source address.
> This does in fact work, been using it for  about 6 months now. Let me post
> my exact rules (IPs are obsfucated)

i need it because i'm trying to do a simple load balancing between 2 local
servers running opennap.
(and opennap needs to know the IP address otherwise downloads dont start)
thnak you

xchris

redirection

[Christian Cernuschi]

i'd like to do this:

i have 2 pc  
x.y.z.1
x.y.z.2

i would like to redirect connection on port 80 of x.y.z.1 to port 80 of 
x.y.z.2

i tried with DNAT but when someone tries to connect it goes in timeout?

Is there a solution?

Thank you
Chris

Re: redirection

[Eric Joe]

On Tue, 8 Apr 2003, Christian Cernuschi wrote:

> i'd like to do this:
> 
> i have 2 pc  
> x.y.z.1
> x.y.z.2
> 
> i would like to redirect connection on port 80 of x.y.z.1 to port 80 of 
> x.y.z.2
> 
> i tried with DNAT but when someone tries to connect it goes in timeout?
> 



iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -d x.y.z.1 -j 
DNAT --to x.y.z.2:80

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to x.y.z.1



We are doing the *exact* thing you want to do everyday with the above 2 
lines. 


Eric