[ale] iptables redirect

Pat Regan thehead at patshead.com
Sun Nov 23 21:08:59 EST 2008


With the rules you are using the source address isn't going to change.
This works fine when you do port forwarding on a gateway but won't work
if you're trying to flip packets from one network to another.  The
problem is that the client thinks it is talking to one address but it
receives packets back from a different address.

Whenever I need to do this I've always used a program called redir.
Debian's apt says this is the website:

http://sammy.net/~sammy/hacks/

If you use redir the client will believe it is talking to the machine
redir is running on, and the destination server will think it is talking
to the machine redir is running on.  I bet there is a way to accomplish
the same with just iptables, but I've just always reached for redir
since the old ipchains days.

Pat

Christoper Fowler wrote:
> I've moved a server to a new colo and I want to redirect services from
> the first colo to the second until the DNS change takes full effect.
> 
> Here is what I've done.
> 
> *[root at demo tomcat]# ifconfig eth0:2 209.168.246.236
> [root at demo tomcat]# iptables -t nat -A PREROUTING -d 209.168.246.236/32  
> -i eth0 -p tcp --dport 5000 -j DNAT --to-destination 65.254.217.214:5000
> 
> 
> [root at demo tomcat]# iptables -L -n -t nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination        
> REDIRECT   tcp  --  0.0.0.0/0            209.168.246.234     tcp dpt:80 
> redir ports 5000
> DNAT       tcp  --  0.0.0.0/0            209.168.246.236     tcp 
> dpt:5000 to:65.254.217.214:5000
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination        
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination      *  
> 
> It is not working.  If I telnet 209.168.246.236 5000 from my desktop
> it seems to never conenct.  Just times out.  Can someone tell me
> what I did wrong?
> 
> Thanks,
> Chris
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://mail.ale.org/pipermail/ale/attachments/20081123/75866fc8/attachment.bin 


More information about the Ale mailing list