Temporary redirection with DNAT and SNAT

Kirk whereisgui at gmail.com
Fri Apr 29 01:25:58 CEST 2005

Thanks for your help. I solved the problem.
First, I'll answer your questions then I'll explain the fix.

>Do you have any other rules in your FORWARD chain that will allow the
rest of the traffic flow >through to the Proxy, i.e. --state
ESTABLISHED?  Correspondingly do you have any rules that >will prevent
the traffic that is flowing from the proxy in eth1 and back out eth0? 
This could get >you down the road.

Yes, I have FORWARD rules and I allow ESTABLISHED connections.  The
other 5 servers behind the firewall work fine. I did check for typos
but I did not find any.

>You will have to specify a protocol "-p tcp" to use any port definitions.
No typos but.. right, I was missing the protocol. I added the protocol
to the rules and I was able to start the connection to the server but
the server had problems replying to the client so the connection was

To Jim,

>I think the difference is that the SNAT rule does not
>specify the protocol the way the DNAT rule does ( -p tcp ).
>You can only specify a source port for a
>protocol that uses the concept of a "port".
You might be right I fixed the syntax of my rules and I still did not
get the set up to work.

If you are interested, here's what I did. 

1. Added the proxy's public IP to the firewall's external interface.
ip addr add $PROXY_IP/23 dev eth0

2. Added a second private IP to the server that will be handling the
requests for the offline server (eth0:0).

Now I have an "extra" machine that will be replacing the offline proxy.

3. Configured proxy to listen on eth0:0
4. Iptables rules

-A FORWARD -i eth0 -o eth1 -p tcp  -d --dport 80 -j ACCEPT

-I POSTROUTING -s -o eth0 -j SNAT --to $PROXY_IP
-A PREROUTING -i eth0 -p tcp -d $PROXY_IP --dport 80 -j DNAT --to

My set up seems to be working fine.
Thanks again for your help.

More information about the netfilter mailing list