Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
iptables http forwarding problem
Results 1 to 2 of 2

Thread: iptables http forwarding problem

  1. #1

    iptables http forwarding problem

    I have a Fedora Core 6 server with 3 NICs installed as follows

    eth0 - Network = 192.168.1.0/24 IP=192.168.1.155
    eth1 - Network = 172.31.10.0/26 IP=172.31.10.20
    eth2 - Network = 172.31.10.128/26 IP=172.31.10.150

    I need requests from the clients on the 192.168.1.xxx network to access the web server at 172.31.10.136 by using the url http : // 192.168.1.155

    So far I have iptables configured to allow http requests to be forwarded to the web server but they are not routing back and I appear to have been going round in circles so need some help/advice.

    my iptables file is very basic and is as follows:

    Code:
    # Generated by iptables-save v1.3.5 on Mon Apr 21 16:51:24 2008
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -i eth1 -j ACCEPT
    -A INPUT -i eth2 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
    -A FORWARD -i eth0 -o eth2 -p tcp --dport 80 -j ACCEPT
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :dmz - [0:0]
    -A PREROUTING -i eth0 -j dmz
    -A PREROUTING -d 192.168.1.155 -j dmz
    -A OUTPUT -d 192.168.1.155 -j dmz
    -A dmz -p tcp --dport 80 -j DNAT --to-destination 172.31.10.136:80
    -A POSTROUTING -o eth0 -j MASQUERADE
    -A POSTROUTING -s 172.31.10.128/26 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.155
    COMMIT
    using tcpdump on the interface eth2 data can be seen passing through the interface to the web server:
    Code:
    # tcpdump -i 3 port 80
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
    19:41:22.535251 IP <SERVER_FQDN>.beacon-port-2 > 172.31.10.136.http: S 102350687:102350687(0)
    win 65535 <mss 1460,nop,nop,sackOK>
    However it is not being routed back, as indicatd in /proc/net/ip_conntrack

    Code:
    tcp      6 111 SYN_SENT src=192.168.1.112 dst=192.168.1.155 sport=4405 dport=80 packets=1 
    bytes=48 [UNREPLIED] src=172.31.10.136 dst=192.168.1.112 sport=80 dport=4405 packets=0 bytes=0 
    mark=0 secmark=0 use=1
    Any clues/solutions to this problem most welcome
    Happy to supply further info if needed.
    Thanks.

  2. #2
    Resolved - the postrouting masquerade needs to be on eth2 not eth0

    Amend the POSTROUTING line as follows

    Code:
    -A POSTROUTING -o eth2 -j MASQUERADE

Similar Threads

  1. iptables, forwarding between interfaces
    By yates in forum Linux - Hardware, Networking & Security
    Replies: 0
    Last Post: 12-07-2012, 04:01 PM
  2. linux firewall, iptables forwarding problem
    By weiwei in forum Redhat / Fedora
    Replies: 1
    Last Post: 05-29-2011, 04:58 PM
  3. How to forward local HTTP requests to remote Proxy with IPTables ?
    By asdamha in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 05-12-2011, 11:51 AM
  4. allowing incoming http requests-iptables-red hat 9.0
    By s_hcl in forum Linux - Software, Applications & Programming
    Replies: 25
    Last Post: 08-24-2006, 05:52 AM
  5. Port Forwarding IPTABLES Script
    By Coral_Sea in forum Programming
    Replies: 0
    Last Post: 10-08-2002, 10:56 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •