Temporary redirection with DNAT and SNAT
whereisgui at gmail.com
Fri Apr 29 01:25:58 CEST 2005
Thanks for your help. I solved the problem.
First, I'll answer your questions then I'll explain the fix.
>Do you have any other rules in your FORWARD chain that will allow the
rest of the traffic flow >through to the Proxy, i.e. --state
ESTABLISHED? Correspondingly do you have any rules that >will prevent
the traffic that is flowing from the proxy in eth1 and back out eth0?
This could get >you down the road.
Yes, I have FORWARD rules and I allow ESTABLISHED connections. The
other 5 servers behind the firewall work fine. I did check for typos
but I did not find any.
>You will have to specify a protocol "-p tcp" to use any port definitions.
No typos but.. right, I was missing the protocol. I added the protocol
to the rules and I was able to start the connection to the server but
the server had problems replying to the client so the connection was
>I think the difference is that the SNAT rule does not
>specify the protocol the way the DNAT rule does ( -p tcp ).
>You can only specify a source port for a
>protocol that uses the concept of a "port".
You might be right I fixed the syntax of my rules and I still did not
get the set up to work.
If you are interested, here's what I did.
1. Added the proxy's public IP to the firewall's external interface.
ip addr add $PROXY_IP/23 dev eth0
2. Added a second private IP to the server that will be handling the
requests for the offline server (eth0:0).
Now I have an "extra" machine that will be replacing the offline proxy.
3. Configured proxy to listen on eth0:0 192.168.0.9:80
4. Iptables rules
-A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.9 --dport 80 -j ACCEPT
-I POSTROUTING -s 192.168.0.9 -o eth0 -j SNAT --to $PROXY_IP
-A PREROUTING -i eth0 -p tcp -d $PROXY_IP --dport 80 -j DNAT --to 192.168.0.9:80
My set up seems to be working fine.
Thanks again for your help.
More information about the netfilter