Hello,
On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80 COMMIT
...?
Please advise!
Thanks in advance, Nick
On Tue, Jan 7, 2014 at 12:28 PM, Nikolaos Milas nmilas@noa.gr wrote:
Hello,
On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80 COMMIT
...?
Please advise!
Thanks in advance, Nick _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi NIck, you need to MASQUERADE the packets in the POSTROUTING chain. Something like the following
$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I'm just not sure about if forwarding the packets to two separate hosts will work. I haven't tried that myself. It'll be good to know if this works for you.
Many thanks -Vipul
Am 07.01.2014 um 15:01 schrieb Vipul Agarwal vipul@nuttygeeks.com:
On Tue, Jan 7, 2014 at 12:28 PM, Nikolaos Milas nmilas@noa.gr wrote:
Hello,
On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80
what is the criteria to distinguish the packets for xxx and yyy?
-- LF
----- "Nikolaos Milas" nmilas@noa.gr escreveu:
De: "Nikolaos Milas" nmilas@noa.gr Para: centos@centos.org Enviadas: Terça-feira, 7 de Janeiro de 2014 10:28:33 (GMT-0300) Auto-Detected Assunto: [CentOS] Forward http traffic
Hello,
On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p
tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p
tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:
*nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80 COMMIT
...?
Please advise!
Thanks in advance, Nick
Hi Nick,
If you put it that way only xxx will receive packets, to balance betwin both of them you will need this:
-A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80
Hope this helps,
Att.,
Antonio.
On 7/1/2014 6:19 μμ, Antonio da Silva Martins Junior wrote:
If you put it that way only xxx will receive packets, to balance betwin both of themyou will need this:
-A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80
Thank you,
According to "man iptables", this defines an inclusive *range*. Yet, I don't want a range, but two (or more) distinct ip addresses. How can this be done?
Thanks, Nick
----- "Nikolaos Milas" nmilas@noa.gr escreveu:
De: "Nikolaos Milas" nmilas@noa.gr Para: "CentOS mailing list" centos@centos.org Enviadas: Quarta-feira, 8 de Janeiro de 2014 6:43:16 (GMT-0300) Auto-Detected Assunto: Re: [CentOS] Forward http traffic
On 7/1/2014 6:19 μμ, Antonio da Silva Martins Junior wrote:
If you put it that way only xxx will receive packets, to balancebetwin both of them
you will need this:
-A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80
Thank you,
According to "man iptables", this defines an inclusive *range*. Yet, I don't want a range, but two (or more) distinct ip addresses. How can this be done?
Humm...
Well, I had only used with a "range". Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers.
Att.,
Antonio.
On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote:
Well, I had only used with a "range". Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers.
Thanks,
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
...But I still don't know if this is possible with iptables. I hope someone here can provide more info.
I am not sure if haproxy or nginx can be used to simply forward all inbound traffic to a number of public IP Addresses (anywhere on the Internet) at the same time, as this is a very special scenario: it is different both fom a forward proxy and from a reverse proxy -with or without load-balancing- (which is usually implemented with such software). If, however, it is feasible, I would be interested to know which is the directive for this feature in the respective software (so I can investigate further).
Best regards, Nick
----- "Nikolaos Milas" nmilas@noa.gr escreveu:
De: "Nikolaos Milas" nmilas@noa.gr Para: "CentOS mailing list" centos@centos.org Enviadas: Quarta-feira, 8 de Janeiro de 2014 11:02:48 (GMT-0300) Auto-Detected Assunto: Re: [CentOS] Forward http traffic
On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote:
Well, I had only used with a "range". Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers.
Thanks,
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
Well,
Maybe if you can explain more what you want. If you forward this to *ALL* servers, all will answer the request, and then from what server you will send the answer to the client? If the software uses some session control how it´ll be done? As each server can create an unique session control.
Sorry, but I didn´t understand what you are trying to do :D
Antonio.
----- "Nikolaos Milas" nmilas@noa.gr escreveu:
De: "Nikolaos Milas" nmilas@noa.gr Para: "CentOS mailing list" centos@centos.org Enviadas: Quarta-feira, 8 de Janeiro de 2014 11:02:48 (GMT-0300) Auto-Detected Assunto: Re: [CentOS] Forward http traffic
On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote:
Well, I had only used with a "range". Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers.
Thanks,
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
What is the goal (other than forward 1 request to 2 servers)? It would kinda be a mess, since each server would reply to the request(s). Are you trying to have a pair of web servers sync'd up identically for disaster / redundancy purposes?
======
If life gives you lemons, keep them-- because hey.. free lemons.
"~heart~ Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html
On Wed, Jan 8, 2014 at 11:50 AM, Joseph Spenner joseph85750@yahoo.com wrote:
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
What is the goal (other than forward 1 request to 2 servers)? It would kinda be a mess, since each server would reply to the request(s). Are you trying to have a pair of web servers sync'd up identically for disaster / redundancy purposes?
The concept doesn't even make sense for TCP connections where the stack requires acks and sequencing. Are you trying to bridge to a capture device or something?
On 8/1/2014 8:28 μμ, Les Mikesell wrote:
The concept doesn't even make sense for TCP connections where the stack requires acks and sequencing. Are you trying to bridge to a capture device or something?
Thank you all for your enlightening feedback, which helped me better understand my situation.
I can see that in fact I can do with a forward proxy (and not use iptables at all).
The goal is to transfer data from a data capture device (which incorporates a web server) lying on a private subnet (without NAT) to various destinations. I now understand that forwarding identical traffic using iptables to such destinations (even if it was possible) would not be the right way. The device can be instructed to send data via http to whatever destinations via a "local" http forward proxy (which has a public IP address but can be accessed from the private subnet).
Case closed.
Thank you all again, Nick
From: Nikolaos Milas nmilas@noa.gr
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
Could you describe the traffic exchange you expect...? 1. http request to 8080. 2. request is forwarded to n servers on 80. 3. n servers give n answers to the firewall/proxy. 4. 1 request and n answers...?
JD
On 2014-01-08 8:02 AM, Nikolaos Milas wrote:
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
Sometimes the correct answer is, "you can't do that." :)
You can talk TO port 80 on all the defined target IP addresses, but not FROM port 8080 on a single IP address.
You could define a different outside port to forward to port 80 on each internal IP address, though. e.g. forward 8081 to 80 on machine1 forward 8082 to 80 on machine2 forward 8083 to 80 on machine3 forward 8084 to 80 on machine4 forward 8085 to 80 on machine5 et cetera
On 01/08/2014 11:32 AM, Darr247 wrote:
On 2014-01-08 8:02 AM, Nikolaos Milas wrote:
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.
Sometimes the correct answer is, "you can't do that." :)
You can talk TO port 80 on all the defined target IP addresses, but not FROM port 8080 on a single IP address.
Please explain how you do that with iptables. Thanks.
You could define a different outside port to forward to port 80 on each internal IP address, though. e.g. forward 8081 to 80 on machine1 forward 8082 to 80 on machine2 forward 8083 to 80 on machine3 forward 8084 to 80 on machine4 forward 8085 to 80 on machine5 et cetera _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 1/8/2014 5:02 AM, Nikolaos Milas wrote:
Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to*ALL* defined target IP addresses.
that doesn't make any sense.
a SYN packet comes in, is forwarded to serverA and serverB
both servers reply with an 'ack'.... man, is the client tcp stack going to be confused!
On Wed, 2014-01-08 at 11:23 -0800, John R Pierce wrote:
that doesn't make any sense.
a SYN packet comes in, is forwarded to serverA and serverB
both servers reply with an 'ack'.... man, is the client tcp stack going to be confused!
He didn't say anything about both servers replying, only that he wanted to mirror all port 80 traffic. Maybe he's trying to develop a protocol specific IDS, or maybe he wants to build some sort of OOB transaction log of his HTTP traffic.
On Wed, Jan 8, 2014 at 1:34 PM, Brian Miller centos@fullnote.com wrote:
that doesn't make any sense.
a SYN packet comes in, is forwarded to serverA and serverB
both servers reply with an 'ack'.... man, is the client tcp stack going to be confused!
He didn't say anything about both servers replying, only that he wanted to mirror all port 80 traffic. Maybe he's trying to develop a protocol specific IDS, or maybe he wants to build some sort of OOB transaction log of his HTTP traffic.
But if you are going to do that, you probably wouldn't need (or want) the IP addresses to be modified in the packets - you'd make it work at layer 2 and use a switch with a monitor port (or for lower bandwidth, an old fashioned hub) to fan out copies of the packets.
-
Antonio da Silva Martins Junior -
Brian Miller -
Darr247 -
John Doe -
John R Pierce -
Joseph Spenner -
Leon Fauster -
Les Mikesell -
Nikolaos Milas -
Steve Clark -
Vipul Agarwal