----- "Nikolaos Milas" nmilas@noa.gr escreveu:
De: "Nikolaos Milas" nmilas@noa.gr Para: centos@centos.org Enviadas: Terça-feira, 7 de Janeiro de 2014 10:28:33 (GMT-0300) Auto-Detected Assunto: [CentOS] Forward http traffic
Hello,
On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p
tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p
tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80 COMMIT
...?
Please advise!
Thanks in advance, Nick
Hi Nick,
If you put it that way only xxx will receive packets, to balance betwin both of them you will need this:
-A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80
Hope this helps,
Att.,
Antonio.