2 ips, same port, forward to original ip but different port

2 ips, same port, forward to original ip but different port

[Fu-Tung Cheng]

Hi,

Here is my current rule set.  I've tried other combinations of settings but with no more luck than the current rule set.

$IPTABLES -A FORWARD -p tcp --destination-port 80 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port
80 --to-ports 12080

Now what I need to happen is that requests coming into ip1:80 goto
ip1:12080 and ip2:80 goto ip2:12080.  What seems to be happening is
that all requests coming into 80 are going to ip1:12080.

Any pointers gladly accepted.

Thank you,

Fu-Tung



      

Re: 2 ips, same port, forward to original ip but different port

[Pascal Hambourg]

Fu-Tung Cheng a écrit :
> 
> $IPTABLES -A FORWARD -p tcp --destination-port 80 -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port
> 80 --to-ports 12080
> 
> Now what I need to happen is that requests coming into ip1:80 goto
> ip1:12080 and ip2:80 goto ip2:12080.  What seems to be happening is
> that all requests coming into 80 are going to ip1:12080.

If I understand correctly, you want to change only the destination port, 
not the destination address. But the iptables manpage says that the 
REDIRECT target replaces the destination address with the primary 
address of the incoming interface, so it may not be suitable for your 
purpose.

You can use the DNAT target instead. Either :

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to :12080

will translate the destination port 80 into 12080 regardless of the 
destination address and without changing it,

or :

iptables -t nat -A PREROUTING -d $ip1 -p tcp --dport 80 \
   -j DNAT --to $ip1:12080
iptables -t nat -A PREROUTING -d $ip2 -p tcp --dport 80 \
   -j DNAT --to $ip2:12080

will translate only ip1:80 into ip1:12080 and ip2:80 into ip2:12080.

PS: What is the purpose of the first rule in the FORWARD chain ?

Re: 2 ips, same port, forward to original ip but different port

[Fu-Tung Cheng]

Thank you!!

You understood correctly.  I wanted any incoming on 80 to be forwarded on the same interface to 12080.

> If I understand correctly, you want to change only the
> destination port, not the destination address. But the
> iptables manpage says that the REDIRECT target replaces the
> destination address with the primary address of the incoming
> interface, so it may not be suitable for your purpose.
> 
> You can use the DNAT target instead. Either :
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT
> --to :12080
> 
> will translate the destination port 80 into 12080
> regardless of the destination address and without changing
> it,
> 


Not sure what I thought that was supposed to do.  I just copied a couple rules for forwarding from some tutorial and those were included and didn't think to really question them.  I need to spend some more time with the man pages.  I think my big problem was that I thought iptables -F would flush all chains but instead it was likely only flushing the default chain and not the nat chain.

> PS: What is the purpose of the first rule in the FORWARD
> chain ?


Thanks again,

Fu-Tung