I'm stumped.
We have a CentOS 4.4 box with something like the following IPs: eth0: 64.61.61.100 eth0:0 64.61.61.112 eth1: 10.0.0.100 lo: 127.0.0.1 (of course)
We want requests to 64.61.61.112:80 to be NAT'ed to 127.0.0.1:8080.
This seems like it should be really simple -- maybe the following? -- I've tried variants combining this rule with a POSTROUTING rule, tried dnat, snat, etc. -- but no luck. echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
The box's iptables are rather vanilla -- pretty much the standard "allow ssh, http" in (I added 8080 just to eliminate that as a possibility, too, even though 8080's only listened to on localhost).
What am I missing?
Thanks!
best, Jeff
Jeff Potter wrote:
What am I missing?
Run tcpdump on eth0 and then on lo and do a few tests, look at what happens at the packet level, and you'll probably figure it out in no time.
On Thu May 10 2007 16:14, Jeff Potter wrote:
I'm stumped.
We have a CentOS 4.4 box with something like the following IPs: eth0: 64.61.61.100 eth0:0 64.61.61.112 eth1: 10.0.0.100 lo: 127.0.0.1 (of course)
We want requests to 64.61.61.112:80 to be NAT'ed to 127.0.0.1:8080.
Look at REDIRECT. That is the command to redirect packets on the box.
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 127.0.0.1:8080
This gets packets in, but no reply: iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
Florin, I did try running tcpdump before -- good to hear this was a sound way to debug this; the above "no reply" rule shows the following packet: 19:47:07.707346 IP [my laptop's ip address].39679 > 64.61.61.112.http: S 4212369272:4212369272(0) win 5840 <mss 1460,sackOK,timestamp 1264677320 0,nop,wscale 2>
So, I'm still stumped.
The exact iptables rules are below.
Any other thoughts? There's not something besides /proc/sys/net/ipv4/ ip_forward that needs to be twiddled, is there?
best, Jeff
% iptables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 197 20881 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 139 packets, 36106 bytes) pkts bytes target prot opt in out source destination
Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 8 1688 ACCEPT all -- lo any anywhere anywhere 1 84 ACCEPT icmp -- any any anywhere anywhere icmp any 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp 181 18689 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 2 120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:webcache 5 300 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:5666 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
-- Jeff Potter http://www.atof.net/go/boston
Jeff Potter wrote:
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080
This gets packets in, but no reply: iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
IIRC, you need TWO commands to setup a port forward with iptables, one for the incoming like you've specified, and another to handle the response.
classic example is...
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx \ --dport 8888 -j DNAT --to 192.168.0.2:80 iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
John R Pierce ha scritto:
Jeff Potter wrote:
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080
This gets packets in, but no reply: iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
IIRC, you need TWO commands to setup a port forward with iptables, one for the incoming like you've specified, and another to handle the response.
classic example is...
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx \ --dport 8888 -j DNAT --to 192.168.0.2:80 iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
I ran in similar troubles trying to redirect ports to another host; for me the solution was to use xinetd; I have:
\etc\xinetd.d\pop3proxy
service pop3 { socket_type = stream protocol = tcp wait = no user = root bind = 192.168.0.151 redirect = 172.19.3.20 110 }
One word of warning: this was working on FC4, but I think it should work on C5 too. Also it is redirected to another host but I think it should work on localhost too.
Lorenzo
On Fri, May 11, 2007 at 10:38:56AM +0200, Lorenzo wrote:
John R Pierce ha scritto:
Jeff Potter wrote:
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080
This gets packets in, but no reply: iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
IIRC, you need TWO commands to setup a port forward with iptables, one for the incoming like you've specified, and another to handle the response.
classic example is...
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx \ --dport 8888 -j DNAT --to 192.168.0.2:80 iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
I'm not sure if this will work.
You may need to also SNAT to 127.0.0.0/8 as well to make this work... something like:
iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d 64.61.61.112 \ --dport 80 -j DNAT --to 127.0.0.1:8080 iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0 \ --dport 8080 -j SNAT --to 127.0.0.1
And of course you'd need to make sure your FORWARD rules and such are accepting. Best bet is to just make iptables ACCEPT everything by default (policy) until you have this working. :)
That or create a sub-interface on lo with RFC1918 address space and not within 127.0.0.0/8.
Maybe someone else can confirm or deny that there are special restrictions involving the loopback IP's ?
Ray
On Thu May 10 2007 20:24, Jeff Potter wrote:
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 127.0.0.1:8080
The rule should look more like this;
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Have a look at this site
http://iptables.rlworkman.net/chunkyhtml/index.html
and this page;
http://iptables.rlworkman.net/chunkyhtml/x4529.html#TABLE.REDIRECTTARGET
It's a Tutorial for IPTABLES
iptables -t nat -A PREROUTING -p tcp -i eth0:0 --dport 80 -j REDIRECT --to-ports 8080
you can try this rule
Robert Spangler wrote:
On Thu May 10 2007 20:24, Jeff Potter wrote:
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 127.0.0.1:8080
The rule should look more like this;
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
Have a look at this site
http://iptables.rlworkman.net/chunkyhtml/index.html
and this page;
http://iptables.rlworkman.net/chunkyhtml/x4529.html#TABLE.REDIRECTTARGET
It's a Tutorial for IPTABLES
If you are just trying to redirect HTTP traffic, I wonder if you would find it easier to use an HTTP proxy like squid or pound. It is pretty trivial to set up a transparent non-caching HTTP forwarder with one of those.
Dan
Dan Halbert wrote:
If you are just trying to redirect HTTP traffic, I wonder if you would find it easier to use an HTTP proxy like squid or pound. It is pretty trivial to set up a transparent non-caching HTTP forwarder with one of those.
Dan _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Jeff,
Why do you want to redirect the HTTP traffic to the same box?
Bob...
Jeff,
To follow up on my own message: It sounds like you want to run Tomcat on port 80. If you Google this: tomcat "port 80" you'll find some good discussions of the issues and how to do this (including iptables). If you Google: tomcat "port 80" iptables you'll narrow it down a bit.
Dan
Hi List,
Thanks for the continuing flow of good suggestions on the iptables question. I think our client is now willing to side-step the issue (by using pound to load-balance), but I'm still of course curious from a technical perspective.
I'm still curious about how to do this, and even with everyone's very kind suggestions (thank you!), I'm still feeling no closer. At least the client is able to carry on with their work, but I wonder -- what I'm trying to do feels so easy, yet nothing is getting it working, so I'm curious what I'm missing.
Various replies to the many suggestions below.
Feizhou asked: What are you trying to achieve? Transparent proxying? Bob asked: Why do you want to redirect the HTTP traffic to the same box?
So that jboss can be installed under a "vanilla" user account without needing any superuser privileges, and so that the box doesn't have to be configured in any way other than the iptables rule. Running on localhost (or some 10.x.x.x IP) further removes any chance of direct port 8080 access (by some other admin accidently messing up a firewall rule).
John Pierce suggested: I ran in similar troubles trying to redirect ports to another host; for me the solution was to use xinetd...
This might work for pop, where you're forking off a process for each connection; but in http, I would think that would impose a heavy penalty -- woudln't this cause the server to start another java process for every http request?
Pitshou suggested trying: iptables -t nat -A PREROUTING -p tcp -i eth0:0 --dport 80 -j REDIRECT --to-ports 8080
iptables spits out an error on this -- maybe virtual interfaces aren't supported? -- and the "to-ports" bit doesn't specify 127.0.0.1, and since nothing is listening on port 8080 except on localhost, well... the packets don't seem to flow. Rewriting this rule to: iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080 causes the packet to flow in, but tcpdump doesn't show any reply packet in the tcp/ip handshake.
Robert suggested: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- ports 8080
This, also, seems to miss getting the packet over to localhost. Twiddling it to "iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080" yields the same results as above (not surprising, as it's the same rule, sans the interface restriction.)
Dan suggested: If you Google: tomcat "port 80" iptables you'll narrow it down a bit
Thanks! Alas, similar results. I stepped through a number of these suggestions, which amount to things similar to the prerouting/ redirect rules, or various combinations of snat/dnat rules.
Ray suggested: You may need to also SNAT to 127.0.0.0/8 as well to make this work... something like: iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d 64.61.61.112 --dport 80 -j DNAT --to 127.0.0.1:8080 iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0 -- dport 8080 -j SNAT --to 127.0.0.1 [and suggested twiddling of reject rules and checking forward rules]
Alas, same results.
As a sanity check, I've confirmed that on localhost I can telnet 8080 and issue an http request -- which works fine.
What am I missing?
Thanks, everyone! -Jeff
Jeff Potter wrote:
Why do you want to redirect the HTTP traffic to the same box?
So that jboss can be installed under a "vanilla" user account without needing any superuser privileges, and so that the box doesn't have to be configured in any way other than the iptables rule. Running on localhost (or some 10.x.x.x IP) further removes any chance of direct port 8080 access (by some other admin accidently messing up a firewall rule).
I do it like this where $IP is the interface used by a load balancer front end:
/sbin/iptables -t nat -A PREROUTING -d $IP -p tcp --dport 80 -j REDIRECT --to-ports 8080 /sbin/iptables -t nat -A OUTPUT -d $IP -p tcp --dport 80 -j REDIRECT --to-ports 8080
In my case I do want it to answer directly on port 8080 on the interface too because I have a monitoring program that hits a test page there. In retrospect it probably wasn't even worth limiting the original destination interface because these boxes have several and a setup script has to be run on each new box to figure out the $IP in the command - and it wouldn't have hurt to redirect them all.
-
Bob Chiodini -
Dan Halbert -
Feizhou -
Florin Andrei -
Jeff Potter -
John R Pierce -
Les Mikesell -
Lorenzo -
Pitshou Asingalembi Mbema -
Ray Van Dolson -
Robert Spangler