Forward Http Traffic

Home » CentOS » Forward Http Traffic
CentOS 16 Comments

Hello,

On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables):

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -s 10.10.10.0/24 -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited COMMIT

Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following:

*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -s 10.250.250.0/24 -p tcp –dport 8080 -j DNAT
–to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s 10.250.250.0/24 -p tcp –dport 8080 -j DNAT
–to-destination yyy.yyy.yyy.yyy:80
COMMIT

…?

Please advise!

Thanks in advance, Nick

16 thoughts on - Forward Http Traffic

  • Hi NIck, you need to MASQUERADE the packets in the POSTROUTING chain. Something like the following

    $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    I’m just not sure about if forwarding the packets to two separate hosts will work. I haven’t tried that myself. It’ll be good to know if this works for you.

    Many thanks
    -Vipul

  • Am 07.01.2014 um 15:01 schrieb Vipul Agarwal :

    what is the criteria to distinguish the packets for xxx and yyy?

  • —– “Nikolaos Milas” escreveu:

    Hi Nick,

    If you put it that way only xxx will receive packets, to balance betwin both of them you will need this:

    -A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp –dport 8080 -j DNAT
    –to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80

    Hope this helps,

    Att.,

    Antonio.


    Antonio da Silva Martins Jr. Analista de Suporte NPD – Núcleo de Processamento de Dados UEM – Universidade Estadual de Maringá
    email: asmartins@uem.br fone: +55 (44) 3011-4015 / 3011-4411
    inoc-dba: 263076*100

    “Real Programmers don’t need comments — the code is obvious.”


    Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo.

  • Thank you,

    According to “man iptables”, this defines an inclusive *range*. Yet, I
    don’t want a range, but two (or more) distinct ip addresses. How can this be done?

    Thanks, Nick

  • —– “Nikolaos Milas” escreveu:

    Humm…

    Well, I had only used with a “range”. Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers.

    Att.,

    Antonio.


    Antonio da Silva Martins Jr. Analista de Suporte NPD – Núcleo de Processamento de Dados UEM – Universidade Estadual de Maringá
    email: asmartins@uem.br fone: +55 (44) 3011-4015 / 3011-4411
    inoc-dba: 263076*100

    “Real Programmers don’t need comments — the code is obvious.”


    Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo.

  • Thanks,

    Actually, I don’t want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses.

    …But I still don’t know if this is possible with iptables. I hope someone here can provide more info.

    I am not sure if haproxy or nginx can be used to simply forward all inbound traffic to a number of public IP Addresses (anywhere on the Internet) at the same time, as this is a very special scenario: it is different both fom a forward proxy and from a reverse proxy -with or without load-balancing- (which is usually implemented with such software). If, however, it is feasible, I would be interested to know which is the directive for this feature in the respective software (so I
    can investigate further).

    Best regards, Nick

  • —– “Nikolaos Milas” escreveu:

    Well,

    Maybe if you can explain more what you want. If you forward this to
    *ALL* servers, all will answer the request, and then from what server you will send the answer to the client? If the software uses some session control how it´ll be done? As each server can create an unique session control.

    Sorry, but I didn´t understand what you are trying to do :D

    Antonio.


    Antonio da Silva Martins Jr. Analista de Suporte NPD – Núcleo de Processamento de Dados UEM – Universidade Estadual de Maringá
    email: asmartins@uem.br fone: +55 (44) 3011-4015 / 3011-4411
    inoc-dba: 263076*100

    “Real Programmers don’t need comments — the code is obvious.”


    Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo.

  • From: Nikolaos Milas

    Could you describe the traffic exchange you expect…?
    1. http request to 8080.
    2. request is forwarded to n servers on 80.
    3. n servers give n answers to the firewall/proxy.
    4. 1 request and n answers…?

    JD

  • Sometimes the correct answer is, “you can’t do that.” :)

    You can talk TO port 80 on all the defined target IP addresses, but not FROM port 8080 on a single IP address.

    You could define a different outside port to forward to port 80 on each internal IP address, though. e.g. forward 8081 to 80 on machine1
    forward 8082 to 80 on machine2
    forward 8083 to 80 on machine3
    forward 8084 to 80 on machine4
    forward 8085 to 80 on machine5
    et cetera

  • —– “Nikolaos Milas” escreveu:

    What is the goal (other than forward 1 request to 2 servers)?
    It would kinda be a mess, since each server would reply to the request(s). Are you trying to have a pair of web servers sync’d up identically for disaster / redundancy purposes?

    ======

     
    If life gives you lemons, keep them– because hey.. free lemons.

    “~heart~ Sticker”  fixer:  http://microflush.org/stuff/stickers/heartFix.html

  • The concept doesn’t even make sense for TCP connections where the stack requires acks and sequencing. Are you trying to bridge to a capture device or something?

  • that doesn’t make any sense.

    a SYN packet comes in, is forwarded to serverA and serverB

    both servers reply with an ‘ack’…. man, is the client tcp stack going to be confused!

  • He didn’t say anything about both servers replying, only that he wanted to mirror all port 80 traffic. Maybe he’s trying to develop a protocol specific IDS, or maybe he wants to build some sort of OOB transaction log of his HTTP traffic.

  • But if you are going to do that, you probably wouldn’t need (or want)
    the IP addresses to be modified in the packets – you’d make it work at layer 2 and use a switch with a monitor port (or for lower bandwidth, an old fashioned hub) to fan out copies of the packets.

  • Thank you all for your enlightening feedback, which helped me better understand my situation.

    I can see that in fact I can do with a forward proxy (and not use iptables at all).

    The goal is to transfer data from a data capture device (which incorporates a web server) lying on a private subnet (without NAT) to various destinations. I now understand that forwarding identical traffic using iptables to such destinations (even if it was possible) would not be the right way. The device can be instructed to send data via http to whatever destinations via a “local” http forward proxy (which has a public IP address but can be accessed from the private subnet).

    Case closed.

    Thank you all again, Nick