http request via iptables --to-destination ip redirect results in no response

Posted by Wouter Vegter on Server Fault See other posts from Server Fault or by Wouter Vegter
Published on 2011-02-11T16:26:03Z Indexed on 2011/02/12 15:27 UTC
Read the original article Hit count: 402

Filed under:
|
|

I have two Ubuntu servers with each having their own ip addresses.

Let's call them server1 and server2, having respectively ip 1.1.1.1 and 2.2.2.2

I have a nginx running on server2. The sole purpose I want server1 to have is to redirect all incoming http (so port 80) requests to server2 without clients noticing that their request is being redirected.

I tried the following command on server1:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 2.2.2.2

But when I enter 1.1.1.1 in my browser I get no respond: the page keeps trying to load without giving any message or error message (I get a time-out after 2-3 mins).

But when I do remove the above iptables rule I immediately do get a "page not found error" when I enter 1.1.1.1 in my browser; so something is working but not as it should: when I enter 1.1.1.1 I want the html page to load that is hosted on 2.2.2.2

Because when i enter 2.2.2.2 in my browser I do see the webpage loaded.

Could anyone please help me with this? I am searching quite some time (on severfault & Google) on this now so that's why I ask.

Many thanks for reading my question!

Update: Thank you all for you information. Unfortunately I still get no response

I have the following iptables configuration:

root@ip-10-48-238-216:/home/ubuntu# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ip-10-48-238-216:/home/ubuntu# sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:2.2.2.2

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

When i run tcpdump and do request via chrome to 1.1.1.1 i get the following

root@ip-10-48-238-216:/home/ubuntu# sudo tcpdump -i eth0 port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:56:18.346625 IP (tos 0x0, ttl 52, id 12055, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16386 > ip-10-48-238-216.eu-west-1.compute.internal.www: Flags [S], cksum 0xb398 (correct), seq 2639758575, win 5840, options [mss 1460,sackOK,TS val 1223672 ecr 0,nop,wscale 6], length 0
13:56:18.346662 IP (tos 0x0, ttl 51, id 12055, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16386 > ww1dc1.shopreme.com.www: Flags [S], cksum 0x9ee0 (correct), seq 2639758575, win 5840, options [mss 1460,sackOK,TS val 1223672 ecr 0,nop,wscale 6], length 0
13:56:18.598747 IP (tos 0x0, ttl 52, id 10138, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16387 > ip-10-48-238-216.eu-west-1.compute.internal.www: Flags [S], cksum 0xac40 (correct), seq 2645658541, win 5840, options [mss 1460,sackOK,TS val 1223735 ecr 0,nop,wscale 6], length 0
13:56:18.598777 IP (tos 0x0, ttl 51, id 10138, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16387 > ww1dc1.shopreme.com.www: Flags [S], cksum 0x9788 (correct), seq 2645658541, win 5840, options [mss 1460,sackOK,TS val 1223735 ecr 0,nop,wscale 6], length 0
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel

the mentioned address relate to the following
212-123-161-112.ip.telfort.nl.16386 : my personal computer
ww1dc1.shopreme.com.www : dns of server2 (2.2.2.2)
ip-10-48-238-216.eu-west-1.compute.internal.www : amazon web services ec2 internal address of server1 (1.1.1.1)

However, the tcpdump log on server2 (2.2.2.2) stays empty and I get no response back in my browser.

I am able to ping from server1 to server2.
And net.ipv4.ip_forward is set to 1 and so is /proc/sys/net/ipv4/ip_forward
Could there be anything else that is missing?

© Server Fault or respective owner

Related posts about iptables

Related posts about redirect