+ Reply to Thread
Results 1 to 2 of 2

Thread: iptables http forwarding problem

  1. 04-22-2008 06:53 PM #1
    sirstan
    sirstan is offline
      Newbie sirstan
    Join Date
    Apr 2008
    Posts
    2

    iptables http forwarding problem

    I have a Fedora Core 6 server with 3 NICs installed as follows

    eth0 – Network = 192.168.1.0/24 IP=192.168.1.155
    eth1 – Network = 172.31.10.0/26 IP=172.31.10.20
    eth2 – Network = 172.31.10.128/26 IP=172.31.10.150

    I need requests from the clients on the 192.168.1.xxx network to access the web server at 172.31.10.136 by using the url http : // 192.168.1.155

    So far I have iptables configured to allow http requests to be forwarded to the web server but they are not routing back and I appear to have been going round in circles so need some help/advice.

    my iptables file is very basic and is as follows:

    Code:
    # Generated by iptables-save v1.3.5 on Mon Apr 21 16:51:24 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp --dport 80 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:dmz - [0:0]
-A PREROUTING -i eth0 -j dmz
-A PREROUTING -d 192.168.1.155 -j dmz
-A OUTPUT -d 192.168.1.155 -j dmz
-A dmz -p tcp --dport 80 -j DNAT --to-destination 172.31.10.136:80
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.31.10.128/26 -d 192.168.1.0/24 -j SNAT --to-source 192.168.1.155
COMMIT
    using tcpdump on the interface eth2 data can be seen passing through the interface to the web server:
    Code:
    # tcpdump -i 3 port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
19:41:22.535251 IP <SERVER_FQDN>.beacon-port-2 > 172.31.10.136.http: S 102350687:102350687(0)
win 65535 <mss 1460,nop,nop,sackOK>
    However it is not being routed back, as indicatd in /proc/net/ip_conntrack

    Code:
    tcp      6 111 SYN_SENT src=192.168.1.112 dst=192.168.1.155 sport=4405 dport=80 packets=1 
bytes=48 [UNREPLIED] src=172.31.10.136 dst=192.168.1.112 sport=80 dport=4405 packets=0 bytes=0 
mark=0 secmark=0 use=1
    Any clues/solutions to this problem most welcome
    Happy to supply further info if needed.
    Thanks.
    Reply With Quote Reply With Quote  
  2. 04-23-2008 12:24 PM #2
    sirstan
    sirstan is offline
      Newbie sirstan
    Join Date
    Apr 2008
    Posts
    2
    Resolved – the postrouting masquerade needs to be on eth2 not eth0

    Amend the POSTROUTING line as follows

    Code:
    -A POSTROUTING -o eth2 -j MASQUERADE
    Reply With Quote Reply With Quote  
+ Reply to Thread
« Previous Thread | Next Thread »

Similar Threads

  1. Iptables problem sending mails
    By Tekorei in forum Security
    Replies: 4
    Last Post: 02-13-2006, 12:47 PM
  2. LAN clients get connection denied by Apache
    By rhonneil in forum Linux – Hardware, Networking & Security
    Replies: 14
    Last Post: 11-12-2003, 11:28 AM
  3. Router not routing/masquerading. Why?
    By Anubis in forum Linux – Software, Applications & Programming
    Replies: 0
    Last Post: 03-22-2003, 12:05 AM
  4. iptables problem
    By groundzero in forum Security
    Replies: 5
    Last Post: 06-06-2002, 03:14 PM
  5. iptables script…
    By Mor_gath in forum Programming
    Replies: 5
    Last Post: 12-24-2001, 04:35 AM

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules