Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I have a VDS running CentOS with two interfaces: eth0 and ham0. eth0 is my WAN interface and has external IP accessible from the Internet, and ham0 is an interface to a small VPN network (Logmein Hamachi).
There are three machines in the VPN network, one of them is a linux box at my home which runs Apache on port 80. This machine is behind ISP's NAT and cannot be seen from outside.
I want to create a rule on my VDS to forward connections to port 8081 coming from the Internet (eth0 interface) to this linux box inside my VPN network. Something like this:
[Internet] ---> [VDS server with public IP] ---> [Apache server inside VPN]
I used the following rules:
iptables -t nat -A PREROUTING -p tcp -d *external_ip* --dport 8081 -j DNAT --to *internal_ip*:80
iptables -A FORWARD -p tcp -d *internal_ip* --dport 80 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp --dst *internal_ip* -j LOG --log-level warning --log-prefix "[REQUEST_FORWARDED]"
But it does not work. I can see a "REQUEST_FORWARDED" message in /var/log/messages, but when I go to the http://my_eternal_ip:8081/ in my browser, it tries to connect to the host for a very long time, and then shows a message that server did not respond.
What can cause this problem?
I guess you need to make sure "/proc/sys/net/ipv4/ip_forward" has been enabled, if not
echo 1 > /proc/sys/net/ipv4/ip_forward
Above command can help you allow IP forwarding.
Hope this helpful to you.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
The following is the network topology of the test bed where I use redsocks and iptables to access youtube from LAN, provided that I have a ssh dynamic forwarding established between Linux and VPS:
|
outside | inside firewall
|
| LAN 192.168.1.0/24
| ----+--------------------+-----------
| |.2 | .3
+-----+ | +------+----+ +----+----+
| | | | | | |
Youtube <-->| VPS <============> Linux | | Windows |
| | | | | | |
+-----+ | +-----------+ +---------+
|
|
The Linux box and Windows box are on the same LAN inside the firewall, which blocks any access to say Youtube. The VPS is outside the firewall and it can access Youtube. From within the Linux box I can ssh -D to the VPS, making VPS acts as a SOCKS5 proxy.
To further make the SOCKS5 proxy "transparent" to the processes (e.g., browser) on the Linux box, I did the following:
run a SOCKS5 client software redsocks to talk with the SOCKS5 server, for handling the SOCKS5 protocols.
add some iptable rules, to direct youtube-bound traffic to redsocks process
This works fine for the Linux box itself:
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F -t nat
/sbin/iptables -t nat -X REDSOCKS
/sbin/iptables -t nat -N REDSOCKS
/sbin/iptables -t nat -A OUTPUT -d $YOUTUBE -j REDSOCKS
/sbin/iptables -t nat -A REDSOCKS -p TCP -d $YOUTUBE -j REDIRECT --to-ports $REDSOCKS_PORT
/sbin/iptables -t nat -A REDSOCKS -p UDP -d $YOUTUBE -j REDIRECT --to-ports $REDSOCKS_PORT
/sbin/iptables -t nat -A REDSOCKS -p ICMP -d $YOUTUBE -j REDIRECT --to-ports $REDSOCKS_PORT
/sbin/iptables -t nat -A REDSOCKS -j RETURN
Now I want let Windows box also to access Youtube "transparently", with some software configuration. My idea is as the following:
Change the routing table on Windows machine such that all Youtube-bound traffic will be routed to the Linux box (192.168.1.2)
Setup iptables "somehow" to do SNAT for the Youtube-bound traffic from Windows
After some tests, I encountered the following problem:
the REDIRECT (or DNAT) target only applicable for PREROUTING/OUTPUT hooks (e.g., in the iptable settings for redsocks, the REDSOCKS chain is hooked on OUTPUT chain)
the SNAT (or MASQUERADE) target only applicable for POSTROUTING hook
What I want to do for the Windows machine is firstly SNAT and then REDIRECT, but as SNAT is happening on POSTROUTING hook, it seems it's too later (in the packet processing flow) to have it to be processed by PREROUTING/OUTPUT hooks...
Is there a way out here?
PS 1. I found a working solution (below in the reply from myself), although I don't really understand why it worked.
PS 2. I started looking into source code of redsocks, one thing I found so far is that redsocks use getsockopt(,SO_ORIGINAL_DST,) to obtain the destination address before DNAT. What's not clear to me is the following processing, and src/dst ip address of the return packet from redsocks. Don't know if there is an introduction about redsocks implementation...
I found a solution which does not require SNAT:
let redsocks listen on 192.168.1.2 instead of 127.0.0.1, by changing /etc/redsocks.conf
change REDIRECT --to-ports 12345 target in all rules in REDSOCKS chain to DNAT --to-destination 192.168.1.2:12345 target
add a rule in PREROUTING chain to handle "youtube-bound traffic from windows" by REDSOCKS chain: /sbin/iptables -t nat -A PREROUTING -d $youtube -s $win10 -j REDSOCKS
add a route entry on Windows to route youtube-bound traffic to 192.168.1.2
With some more learning and tests, I think I know why the new config works, and why the previous config does not work.
The first is the behavior of REDIRECT:
for locally oriented traffic, the new destination ip address after REDIRECT is 127.0.0.1
for external traffic, the new destination ip address after REDIRECT is NOT 127.0.0.1, but 192.168.1.2
That's why the previous config does not work, since in previous config, redsocks listen on 127.0.0.1, but iptables REDIRECTs to 192.168.1.2.
The new config let redsocks listen on 192.168.1.2 and explicitly use DNAT to change destination of both locally generated and external traffic to 192.168.1.2, so it works.
I also tested another config, almost the same as the 2nd config, but letting redsocks listen on 127.0.0.1, and use DNAT explicitly set destination ip to 127.0.0.1. This way, externally generated traffic will be directly to 127.0.0.1, which are regarded as martian packets by kernel. I also need to set /proc/sys/net/ipv4/conf/eth0/route_localnet to 1, then it works for windows machine.
At this point, to me, it seems every piece of information fit together :)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I am running Play Framework on Linux and at the moment the URL is
http://www.example.net:9999
How do I change it to
http://www.example.net
I also want to run a ssh port
http://www.example.net:9443
Is this a linux configuration or is it on the web server?
If its linux any relevant links would be helpful.
UPDATE
Following biesiors answer below I realised that by default if you set the port to 443 for ssh then you automatically get the url
https://www.example.net
which is equivalent to
https://www.example.net:443
This however still didn't work on my ec2 instance. Following some investigation and trial and error I found that if I started my web server with root then this port was available and worked. So now I just need to figure out the permissions.
So the answer is
You need to be root (superuser) to bind to ports under 1024. That's why 9443 works, but 443 doesn't
So my question still stands at how do I run with port 9443 but have the url below and is it ok to run the webserver as root, it doesn't seem right
https://www.example.net
EDIT 2:
So the answer is that you need to remap the ports in the the IP tables
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443
Although your question is very wide... I just guess you have two possible solution:
Start your application using port 80 - if it's available
If you have some common web server working on port 80 (and want to keep it) you need to configure it to work as a front-end HTTP server as described in the docs
In order to use the port 9443 instead of the default ssl port 443 for which you need to be a root or super user you will need to remap the ports in the iptables
For playframework the default port is 9000 and not 80 or 8080 so you need to remap that
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 9000
For the ssl port you need to map from 443 to 9443 so
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 9443
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I want redirect all outgoing traffic with port 8080 to local port 8080
for example i create server with this command nc -l -p 8080 and i want when use this command nc 1.2.3.4 8080 , nc redirect and connect to 127.0.0.1:8080
i try with this command:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -o eth0 -j SNAT --to-source IP
but not worked!
how to do it?
Local originated traffic isn't passing through nat/POSTROUTING chain. You should add rule like this:
iptables -t nat -A OUTPUT -p tcp --dport 8080 -j DNAT --to-destination 127.0.0.1:8080
Additional info:
http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
http://www.linuxtopia.org/Linux_Firewall_iptables/index.html Chapter 4.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
For testing, I need to drop all input connections to postgres db running on port 5432 on localhost. I set an iptables rule :
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 5432 -j DROP
But I am able to do read/write operations to the db. I used dbvisualizer as well as the product to test. What am I missing?
Thanks in advance.
The target DROP will just drop the packet, no further processing or forwarding.
try this:
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports 5432
I am not sure if this is the right method but rule
iptables -A OUTPUT -p tcp --dport 5432 -j REJECT
worked as expected.
Did your server listen on localhost or ethernet nic network ip address?
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I have multiple IP addresses on the same server and I would like to redirect all outgoing traffic on port 80 to a different IP on the same server just no to use always main IP.
Currently I'm using this:
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source IP;
and it works well, but it redirects everything and when I make backups over SSH backup it's failing.
System: CentOS 5.8 64-bit
This worked:
iptables -t nat -A POSTROUTING -p tcp --dport 80 -o eth0 -j SNAT --to-source IP