iptables acting as a TCP proxy
Mon, 15 Mar 2004 11:28:20 +0000
On Monday 15 March 2004 11:10 am, Gavin Hamill wrote:
> Basically, we're moving a webserver from hosting in-house to a data
> centre, so whilst the DNS is propogating, I'd like to use our firewall
> to proxy port 80 requests destined for the now-defunct old IP, to the
> new external IP.
> I know this means wasting a lot of bandwidth, but there should be plenty
> left over once the webserver is no longer in the building.
> I seem to remember the solution was a pair of rules using the mangle
> table and SNAT / DNAT, but try as I might, I can't find it with Google.
> Can anyone help?
iptables -A PREROUTING -p tcp --dport 80 -d old.ip.add.ress -j DNAT --to
iptables -A FORWARD -p tcp --dport 80 -d new.ip.add.ress -j ACCEPT
iptables -A POSTROUTING -p tcp --dport 80 -d new.ip.add.ress -j SNAT --to
Where old.ip.add.ress is the old IP, routed towards the machine running these
rules, new.ip.add.ress is the new IP, somewhere out in the Internet, and
my.ip.add.ress is the address of the Firewall itself.
What these rules mean is:
1. Anything sent to the old address should go to the new address instead.
2. Make sure it gets there through the FORWARD chain.
3. Set the source address to be this machine so the replies come back this way
and get reverse-natted.
Note that whilst you are using this rule, all accesses to the remote webserver
will appear to come from your firewall (you can't tell where the real clients
are), but since this is only a temporary arrangement I guess you're happy
There are two possible outcomes:
If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.
- Enrico Fermi
Please reply to the list;
please don't CC me.