top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

IPTable: How to forward http traffic to two IPs

+5 votes
365 views

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

posted Jan 7, 2014 by Anderson

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+2 votes

If you put it that way only xxx will receive packets, to balance between both of them you will need this:

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80

answer Jan 7, 2014 by Seema Siddique
Similar Questions
0 votes
IPTABLE: How to ignore forwarded traffic?

Consider the following example: you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all traffic that is forwarded by the router between the two networks basically is to be ignored by iptables (i.e., the router does not play firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on the router lists all the connections, not only those to and from the router, but also all connections between the two. Certainly, it takes some CPU cycles for the router to keep track of all the connections. Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other netfilter stuff when it comes to forwarded packets?

+2 votes
IPTable: Issue with owner module?

I have some issue with module (owner) in iptables v1.4.14

Current rule fails:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --gid-owner usergroup -j DNAT --to-destination x.x.x.x:80;
I tried to use numeric gid, it failed too..

But this rule works fine:
iptables -t nat -A OUTPUT -o eth0 -p tcp -s x.x.x.x -m owner --uid-owner user -j DNAT --to-destination x.x.x.x:80;

Is it a BUG or I am missing something?

+1 vote
what would be the best strategy to intercept traffic from one machine to another

According to your experience what would be the best strategy to intercept traffic from one machine to another and process some (not all) request in a transparent way.

I explain, i have two machines:

192.168.1.1/24  192.168.1.2/24

All I want to do is to intercept traffic from a specific port(s), i.e. 4000/tcp and process it in a 'machine in the middle'.

192.168.1.1/24  machine-in-the-middle  192.168.1.2/24

The idea is that when 192.168.1.1 connects to 192.168.1.2:4000 then the machine in the middle will answer those requests, but the remaining traffic from 192.168.1.1 to 192.168.1.2 keep forwarding as is, and the same for the opposite direction.

0 votes
How to Filtering and Queue the Packets of a Process using Iptable?

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I 

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+1 vote
How to set multihop gateway rules for forward table?

My network is like this:

GW+DHCP 192.168.1.1, eth0:192.168.100.1 eth1:192.168.168.1.1
HOST1+DHCP 192.168.1.100, eth0:192.168.1.100 eth1:192.168.2.1
CLIENT1 192.168.2.100

There is a double NAT here at both GW and HOST1. The DHCP from GW is only towards the eth1 network and subnet. The DHCP from HOST1 is only towards eth1.
In GW there is a masquerade rule which works fine and allows all forwarded packets.

I do not want packets from clients in the CLIENT1 side of the network to get access using the nat to the local network resources but that they will have access to the internet using GW. So basically I want to allow all forwarded traffic from the 192.168.2.0/24 network to be allowed to all networks but not the localnet and the local GW resources.

I am a bit in a conflict in it since the next rules should work or at least should do the trick..:

-A FORWARD -s 192.168.2.0/24 -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i eth1 -p tcp -m multiport --dports 53,443,80,21,22,23,110,25,143,995,993,3128,8080 -j ACCEPT
-A FORWARD ! -i eth1 -m state --state NEW -j DROP
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j DROP

Before I press the "save" button I would like for someone else to take a small look at it.

...