Redirecting Outbound Port to Internal Server

Redirecting Outbound Port to Internal Server

[Aaron Clausen]

I'm trying to sort out a way to redirect all outgoing traffic destined
for port 8080 to an internal server.  I must be having some nasty
brain fart because I just can't get it working.

-- 
Aaron Clausen
mightymartianca@gmail.com

Re: Redirecting Outbound Port to Internal Server

[Jan Engelhardt]

On Wednesday 2010-06-09 22:48, Aaron Clausen wrote:

>I'm trying to sort out a way to redirect all outgoing traffic destined
>for port 8080 to an internal server.  I must be having some nasty
>brain fart because I just can't get it working.

Just directly connect to the target address.

Re: Redirecting Outbound Port to Internal Server

[Curby]

On Wed, Jun 9, 2010 at 2:48 PM, Aaron Clausen <mightymartianca@gmail.com> wrote:
> I'm trying to sort out a way to redirect all outgoing traffic destined
> for port 8080 to an internal server.  I must be having some nasty
> brain fart because I just can't get it working.

Just to clarify, you have a router or gateway machine between the
Internet and an internal network, and all TCP connections from any
internal machine to port 8080 should be DNATed to a proxy-like
machine, also on the internal network?  If so, I think the problem is
that a single DNAT rule would cause the request to go through to the
internal proxy, but the proxy would send a reply back to the client,
which rejects it because it's expecting a reply from the router box.
Have you handled that issue?  Perhaps seeing your existing rules would
help too.  (I know this post isn't too helpful.  I'm just trying to
understand your setup and throw out a possible gotcha.)

--Mike

Re: Redirecting Outbound Port to Internal Server

[Grant Taylor]

On 06/09/10 16:16, Curby wrote:
> I think the problem is that a single DNAT rule would cause the 
> request to go through to the internal proxy, but the proxy would send 
> a reply back to the client, which rejects it because it's expecting a 
> reply from the router box.

I agree.

If you want to do the redirection this way, you have to SNAT the traffic 
from the router to the proxy so that the proxy will reply to the router. 
  Then when the router receives the reply from the proxy, it will pass 
the reply on to the original client.

I have done this before and it works quite well.

Now, I do ask the question, is it not possible to have your clients 
communicate directly with the proxy?

I ask because what you want to do can be done and does work, but it 
causes all the traffic between clients and the proxy to pass through the 
router, thus making your router's NIC & CPU be a potential bottle neck 
that can (fairly easily) be avoided.



Grant. . . .

Re: Redirecting Outbound Port to Internal Server

[Curby]

On Wed, Jun 9, 2010 at 3:24 PM, Grant Taylor <gtaylor@riverviewtech.net> wrote:
> Now, I do ask the question, is it not possible to have your clients
> communicate directly with the proxy?

His later message suggests that the target machine is a web server and
not a proxy.  In that case, I wonder if tweaking DNS to have the
relevant requests point directly to the local machine would be easier.

OTOH, he said that all outbound traffic on port 8080 should be sent to
the internal machine, which is odd if it's a simple web server hosting
a site or two.

--Mike

Re: Redirecting Outbound Port to Internal Server

[Grant Taylor]

Curby wrote:
> His later message suggests that the target machine is a web server 
> and not a proxy.  In that case, I wonder if tweaking DNS to have the 
> relevant requests point directly to the local machine would be 
> easier.

I don't know if it would be easier or not, but it probably would be 
better in the long run.

If there is a local DNS server, there are a number of options to do this.

> OTOH, he said that all outbound traffic on port 8080 should be sent 
> to the internal machine, which is odd if it's a simple web server 
> hosting a site or two.

Think a small business that is hosting their own web site on an internal 
server.  Public DNS will likely reflect the external IP and traffic 
would be port forwarded in to said server.

What the OP is wanting to do is commonly referred to at NAT loop back / 
wrap around.



Grant. . . .