http request via iptables --to-destination ip redirect results in no response
Posted
by
Wouter Vegter
on Server Fault
See other posts from Server Fault
or by Wouter Vegter
Published on 2011-02-11T16:26:03Z
Indexed on
2011/02/12
15:27 UTC
Read the original article
Hit count: 407
I have two Ubuntu servers with each having their own ip addresses.
Let's call them server1 and server2, having respectively ip 1.1.1.1 and 2.2.2.2
I have a nginx running on server2. The sole purpose I want server1 to have is to redirect all incoming http (so port 80) requests to server2 without clients noticing that their request is being redirected.
I tried the following command on server1:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 2.2.2.2
But when I enter 1.1.1.1 in my browser I get no respond: the page keeps trying to load without giving any message or error message (I get a time-out after 2-3 mins).
But when I do remove the above iptables rule I immediately do get a "page not found error" when I enter 1.1.1.1 in my browser; so something is working but not as it should: when I enter 1.1.1.1 I want the html page to load that is hosted on 2.2.2.2
Because when i enter 2.2.2.2 in my browser I do see the webpage loaded.
Could anyone please help me with this? I am searching quite some time (on severfault & Google) on this now so that's why I ask.
Many thanks for reading my question!
Update: Thank you all for you information. Unfortunately I still get no response
I have the following iptables configuration:
root@ip-10-48-238-216:/home/ubuntu# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ip-10-48-238-216:/home/ubuntu# sudo iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:2.2.2.2Chain OUTPUT (policy ACCEPT)
target prot opt source destinationChain POSTROUTING (policy ACCEPT)
target prot opt source destination
When i run tcpdump and do request via chrome to 1.1.1.1
i get the following
root@ip-10-48-238-216:/home/ubuntu# sudo tcpdump -i eth0 port 80 -vv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:56:18.346625 IP (tos 0x0, ttl 52, id 12055, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16386 > ip-10-48-238-216.eu-west-1.compute.internal.www: Flags [S], cksum 0xb398 (correct), seq 2639758575, win 5840, options [mss 1460,sackOK,TS val 1223672 ecr 0,nop,wscale 6], length 0
13:56:18.346662 IP (tos 0x0, ttl 51, id 12055, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16386 > ww1dc1.shopreme.com.www: Flags [S], cksum 0x9ee0 (correct), seq 2639758575, win 5840, options [mss 1460,sackOK,TS val 1223672 ecr 0,nop,wscale 6], length 0
13:56:18.598747 IP (tos 0x0, ttl 52, id 10138, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16387 > ip-10-48-238-216.eu-west-1.compute.internal.www: Flags [S], cksum 0xac40 (correct), seq 2645658541, win 5840, options [mss 1460,sackOK,TS val 1223735 ecr 0,nop,wscale 6], length 0
13:56:18.598777 IP (tos 0x0, ttl 51, id 10138, offset 0, flags [DF], proto TCP (6), length 60)
212-123-161-112.ip.telfort.nl.16387 > ww1dc1.shopreme.com.www: Flags [S], cksum 0x9788 (correct), seq 2645658541, win 5840, options [mss 1460,sackOK,TS val 1223735 ecr 0,nop,wscale 6], length 0
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
the mentioned address relate to the following
212-123-161-112.ip.telfort.nl.16386
: my personal computer
ww1dc1.shopreme.com.www
: dns of server2 (2.2.2.2
)
ip-10-48-238-216.eu-west-1.compute.internal.www
: amazon web services ec2 internal address of server1 (1.1.1.1
)
However, the tcpdump log on server2 (2.2.2.2
) stays empty and I get no response back in my browser.
I am able to ping from server1 to server2.
And net.ipv4.ip_forward
is set to 1 and so is /proc/sys/net/ipv4/ip_forward
Could there be anything else that is missing?
© Server Fault or respective owner