iptables acting as a TCP proxy

iptables acting as a TCP proxy

[Gavin Hamill]

Hi :)

Sorry to bring this here since I've done it before based on info on the
web, but I can't find the info this time round :(

Basically, we're moving a webserver from hosting in-house to a data
centre, so whilst the DNS is propogating, I'd like to use our firewall
to proxy port 80 requests destined for the now-defunct old IP, to the
new external IP.

I know this means wasting a lot of bandwidth, but there should be plenty
left over once the webserver is no longer in the building.

I seem to remember the solution was a pair of rules using the mangle
table and SNAT / DNAT, but try as I might, I can't find it with Google.

Can anyone help?

Cheers,
Gavin.

Re: iptables acting as a TCP proxy

[Antony Stone]

On Monday 15 March 2004 11:10 am, Gavin Hamill wrote:

> Basically, we're moving a webserver from hosting in-house to a data
> centre, so whilst the DNS is propogating, I'd like to use our firewall
> to proxy port 80 requests destined for the now-defunct old IP, to the
> new external IP.
>
> I know this means wasting a lot of bandwidth, but there should be plenty
> left over once the webserver is no longer in the building.
>
> I seem to remember the solution was a pair of rules using the mangle
> table and SNAT / DNAT, but try as I might, I can't find it with Google.
>
> Can anyone help?

iptables -A PREROUTING -p tcp --dport 80 -d old.ip.add.ress -j DNAT --to 
new.ip.add.ress
iptables -A FORWARD -p tcp --dport 80 -d new.ip.add.ress -j ACCEPT
iptables -A POSTROUTING -p tcp --dport 80 -d new.ip.add.ress -j SNAT --to 
my.ip.add.ress

Where old.ip.add.ress is the old IP, routed towards the machine running these 
rules, new.ip.add.ress is the new IP, somewhere out in the Internet, and 
my.ip.add.ress is the address of the Firewall itself.

What these rules mean is:
1. Anything sent to the old address should go to the new address instead.
2. Make sure it gets there through the FORWARD chain.
3. Set the source address to be this machine so the replies come back this way 
and get reverse-natted.

Note that whilst you are using this rule, all accesses to the remote webserver 
will appear to come from your firewall (you can't tell where the real clients 
are), but since this is only a temporary arrangement I guess you're happy 
with that.

Regards,

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables acting as a TCP proxy

[Gavin Hamill]

On Monday 15 March 2004 11:28, Antony Stone wrote:

> iptables -A PREROUTING -p tcp --dport 80 -d old.ip.add.ress -j DNAT --to
> new.ip.add.ress
> iptables -A FORWARD -p tcp --dport 80 -d new.ip.add.ress -j ACCEPT
> iptables -A POSTROUTING -p tcp --dport 80 -d new.ip.add.ress -j SNAT --to
> my.ip.add.ress

A thousand thanks, Antony - you're a giraffe among men - so walk tall :)

Yep this works a treat, and you're quite right the fact that requests will all 
come from the firewall doesn't matter :)

Cheers,
Gavin.

Re: iptables acting as a TCP proxy

[Antony Stone]

On Monday 15 March 2004 12:43 pm, Gavin Hamill wrote:

> On Monday 15 March 2004 11:28, Antony Stone wrote:
> > iptables -A PREROUTING -p tcp --dport 80 -d old.ip.add.ress -j DNAT --to
> > new.ip.add.ress
> > iptables -A FORWARD -p tcp --dport 80 -d new.ip.add.ress -j ACCEPT
> > iptables -A POSTROUTING -p tcp --dport 80 -d new.ip.add.ress -j SNAT --to
> > my.ip.add.ress
>
> A thousand thanks, Antony - you're a giraffe among men - so walk tall :)

Er, thanks.   Never been called that before, but I'll do my best :)

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: iptables acting as a TCP proxy

[Mark E. Donaldson]

 

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Monday, March 15, 2004 5:00 AM
To: Netfilter Mailing List
Subject: Re: iptables acting as a TCP proxy

On Monday 15 March 2004 12:43 pm, Gavin Hamill wrote:

> On Monday 15 March 2004 11:28, Antony Stone wrote:
> > iptables -A PREROUTING -p tcp --dport 80 -d old.ip.add.ress -j DNAT 
> > --to new.ip.add.ress iptables -A FORWARD -p tcp --dport 80 -d 
> > new.ip.add.ress -j ACCEPT iptables -A POSTROUTING -p tcp --dport 80 
> > -d new.ip.add.ress -j SNAT --to my.ip.add.ress
>
> A thousand thanks, Antony - you're a giraffe among men - so walk tall 
> :)

Er, thanks.   Never been called that before, but I'll do my best :)

Antony.

--
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the
list;
                                                           please don't CC
me.