[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [iptables] Forward http

Mark wrote:
Hash: SHA1

Joe wrote:
Mark wrote:
Hash: SHA1


I just installed a new debian lenny server and now i am trying to
forward all http request from my old debian etch installation to the new
one. The statement i used was the following:

iptables -t nat -A PREROUTING -p tcp --dport http -j DNAT \
- --to-destination <ip>:80

iptables -t nat -L gives the following:

target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:www

I'm not getting redirected when i try to access the server via a

Do you also have the appropriate forwarding rule? My understanding is
that after PREROUTING, a packet is submitted to the appropriate main
path, in this case, the FORWARD one.

Otherwise, the rule seems structurally similar to one of mine forwarding
ssh, apart from mine also filtering by input interface and destination
IP address to avoid ambiguity. The important bits are the same.

If all else fails, stick in a few logging rules in appropriate places, a
bit like 'print' statements while debugging programs.

thank you for the answer.
Do you have a sample?

Here are the relevant couple of fragments. There's more filtering than you would need as this is to forward to a LAN ssh server which is addressed on a non-standard port, another ssh server runs on the firewall itself, and I use outbound ssh to various destinations. This wouldn't apply to your situation. Note that the forwarding rule uses the IP address and port as already rewritten by the PREROUTING rule.

iptables -N fwd-in-OK
iptables -A fwd-in-OK -p tcp --dport 22 -d $SSHsrv -j LOG --log-level debug --log-prefix "SSH internal accepted:"
iptables -A fwd-in-OK -p tcp --dport 22 -d $SSHsrv -j ACCEPT
# Accept outbound forwarded packets as listed in fwd-out-OK
iptables -A FORWARD -i $LanIF -j fwd-out-OK
# Accept inbound forwarded packets as listed in fwd-in-OK
iptables -A FORWARD -i $InetIF -j fwd-in-OK
iptables -t nat -A PREROUTING -p tcp -i $InetIF -d $ExtIP --dport $SSHin2 -j DNAT --to-destination $SSHsrv:22


Reply to: