Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
Paul Fontenot
Wells Fargo Public Key Infrastructure Team Cryptography Services|IST|EIM|TES|TIG|Wells Fargo Email: ward.p.fontenot@wellsfargo.com Phone: (480) 437-7795
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
iptables -t nat -I PREROUTING -d 192.168.0.1 -p tcp --dport 8080 -j DNAT --to 192.168.0.2
I add that and telnet to the port on BOX A and get
Trying 192.168.0.1... telnet: connect to address 192.168.0.1: Connection refused
I can telnet to that port on BOX B and get a successful connection.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Thursday, February 19, 2009 5:38 PM To: CentOS mailing list Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on
BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
iptables -t nat -I PREROUTING -d 192.168.0.1 -p tcp --dport 8080 -j DNAT --to 192.168.0.2 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get
Trying 192.168.0.1... telnet: connect to address 192.168.0.1: Connection refused
I can telnet to that port on BOX B and get a successful connection.
I assume that you are not telnetting from Box A .. as that will most likely not work. Are there any additional firewall rules on Box A?
Barry
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Thursday, February 19, 2009 5:38 PM To: CentOS mailing list Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on
BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
iptables -t nat -I PREROUTING -d 192.168.0.1 -p tcp --dport 8080 -j DNAT --to 192.168.0.2
There are a few on there and I'm telnetting from a different box on that network. I'll dig around some more and eventually figure it out. Thanks for pointing me in the right direction.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Thursday, February 19, 2009 6:22 PM To: CentOS mailing list Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get
Trying 192.168.0.1... telnet: connect to address 192.168.0.1: Connection refused
I can telnet to that port on BOX B and get a successful connection.
I assume that you are not telnetting from Box A .. as that will most likely not work. Are there any additional firewall rules on Box A?
Barry
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Thursday, February 19, 2009 5:38 PM To: CentOS mailing list Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on
BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
iptables -t nat -I PREROUTING -d 192.168.0.1 -p tcp --dport 8080 -j
DNAT
--to 192.168.0.2
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Barry Brimer Sent: Thursday, February 19, 2009 5:38 PM To: CentOS mailing list Subject: Re: [CentOS] iptables question
On Thu, 19 Feb 2009 Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on
BOX
A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
iptables -t nat -I PREROUTING -d 192.168.0.1 -p tcp --dport 8080 -j
DNAT
--to 192.168.0.2
Hi.
DNAT is what you would be wanting. As can be seen, DNAT is processed in the PREROUTING chain in the nat table, thus it happens before packets hit the filter table and all you are doing is changing the destination address.
You will still need rules in your forward chain of your filter table (it is still forward even if the packets enter and exit the same network card).
This rule will need to allow the original source to talk to the new destination.
Regards, Andrew.
Hi Ward,
On Thu, Feb 19, 2009 at 20:27, Ward.P.Fontenot@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get Trying 192.168.0.1... telnet: connect to address 192.168.0.1: Connection refused I can telnet to that port on BOX B and get a successful connection.
The problem is that when BOX B responds, it will respond with a 192.168.0.2 source IP, and that will only work if it goes through BOX A again (for the DNAT to do the address translation back to 192.168.0.1).
In short, this will only work if traffic goes back to the source through BOX A.
For instance, this will NOT happen if the host that is connecting to the forwarded port is in the same subnet as hosts BOX A and BOX B.
This will also NOT happen if BOX A is not the default gateway of BOX B, or there is somehow another configuration that routes the return packets through BOX A (like using an SNAT combined with the DNAT to make the connections look like they are coming from BOX A).
What exactly are you trying to accomplish? Port forwarding is only useful when you are trying to do something very specific, namely provide to the Internet a service hosted in a machine that is behind NAT, other than that, in most cases it creates more problems than it may solve. If you give more details on what your real problem is, maybe we can give you other alternatives on how to tackle it.
HTH, Filipe
Filipe Brandenburger wrote:
Hi Ward,
On Thu, Feb 19, 2009 at 20:27, Ward.P.Fontenot@wellsfargo.com wrote:
I add that and telnet to the port on BOX A and get Trying 192.168.0.1... telnet: connect to address 192.168.0.1: Connection refused I can telnet to that port on BOX B and get a successful connection.
The problem is that when BOX B responds, it will respond with a 192.168.0.2 source IP, and that will only work if it goes through BOX A again (for the DNAT to do the address translation back to 192.168.0.1).
In short, this will only work if traffic goes back to the source through BOX A.
For instance, this will NOT happen if the host that is connecting to the forwarded port is in the same subnet as hosts BOX A and BOX B.
This will also NOT happen if BOX A is not the default gateway of BOX B, or there is somehow another configuration that routes the return packets through BOX A (like using an SNAT combined with the DNAT to make the connections look like they are coming from BOX A).
A "Connection refused" response indicates that the reply path is working. If there is no response, telnet will just sit and wait, eventually displaying a "Connection timed out" message when the connection times out from the SYN_SENT state (typically about 3 minutes).
On Thu, 2009-02-19 at 18:46 -0600, Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
Why not keep the vip and move it over to the other box? Heartbeat is perfectly suited to such a task...
-I
On Thu, Feb 19, 2009 at 7:46 PM, Ward.P.Fontenot@wellsfargo.com wrote:
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out.
While i haven't done this before, i believe the answer you're looking for lies in SNAT. It would seem the requirements would be that the traffic needs to wind up at the right destination (NAT would get you that far) but the return traffic must also appear to come from the original VIP or else the source device would not already think it has an open session with that device. Take a look here:
http://www.linuxtopia.org/Linux_Firewall_iptables/x4658.html
Good luck!
Ward.P.Fontenot@wellsfargo.com wrote:
Hi,
I have two servers in the same subnet, one has this arrangement:
BOX A [3 ips, one real two vips]
BOX B [1 ip]
I need to redirect input from one of the vips (192.168.0.1:8080) on BOX A to BOX B (192.168.0.2:8080) and I'm about to pull my hair out. Can anyone lend a hand? All my searching leads me to home firewall type arrangements using DNAT. I tried to bend one of those to fit my situation but it was a no go (most likely due to my lack of knowledge with iptables)
Paul Fontenot
<snip> signature
Try this tutorial its long but thorough . http://iptables-tutorial.frozentux.net/iptables-tutorial.html There are several examples that you should be able to craft to fit your needs. First you make a forward chain and then prerouting chain with DNAT. Be advised if you don't have console access you can cut off your access very easy with iptables. Dan
I've added the following and it still isn't working
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 8443 -j DNAT --to-destination 192.168.0.2:8443 iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 8443 -j ACCEPT
I've enabled forwarding - not sure if it's needed but it's there just in case.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Dan Carl Sent: Friday, February 20, 2009 10:24 AM To: CentOS mailing list Subject: Re: [CentOS] iptables question
Try this tutorial its long but thorough . http://iptables-tutorial.frozentux.net/iptables-tutorial.html There are several examples that you should be able to craft to fit your needs. First you make a forward chain and then prerouting chain with DNAT. Be advised if you don't have console access you can cut off your access very easy with iptables. Dan
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ward.P.Fontenot@wellsfargo.com wrote:
I've added the following and it still isn't working
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 8443 -j DNAT --to-destination 192.168.0.2:8443 iptables -A FORWARD -d 192.168.0.1 -p tcp -m tcp --dport 8443 -j ACCEPT
I've enabled forwarding - not sure if it's needed but it's there just in case.
Yes, you do need forwarding enabled.
In that second rule, the match address should be 192.168.0.2 since the translation has already been applied. What does the rest of your FILTER chain look like? If the packet matches a REJECT rule prior to reaching your ACCEPT rule, that will be the end of it.
-
Barry Brimer -
Dan Carl -
Filipe Brandenburger -
Ian Forde -
Jake -
Robert Nichols -
Spook ZA -
Ward.P.Fontenot@wellsfargo.com