dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
713
share rss forum feed


keola27

@comcast.net

[Servers] Iptables prerouting questions

Our network layout is pretty simple.

We use a system called netequalizer to keep everyone playing fair on our business network. All the desktop systems are assigned a static IP address and we wish to redirect troubled customer to an Apache server where we grab the IP address do a MYSQL look up and display the message.

I thought this would be pretty simple, as the employees can already see the apache server. I added this rule into the iptables of Netqualizer.
iptables -t nat -A PREROUTING -s 192.168.10.55 -p tcp --dport 80 -j DNAT --to 192.168.10.2:80

192.168.10.2 is the Apache server
192.168.10.55 is the employee that need to receive a notification.

However it only seems to block the port 80 traffic rather than redirect it to the Apache server.
I am not great at networking so forgive me if this is a basic question.

I have Ipforwarding enabled (1) on the equalizer. We have all the option set to policy ACCEPT across. I have setup this box as a simple bridge nothing fancy here.

I have root access and can run any commands. I have been working on this for 3 days and really appreciate any help anyone can provide!

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
You are trying to REDIRECT traffic into the same network. That's simply not going to work. (you cannot NAT 192.168.10 into 192.168.10) The apache server has to be in a different network, on a different interface. Or use the REDIRECT target instead of NAT -- see also: setting up a squid proxy.

(note: even if you get the traffic going where you want, apache has to be setup to handle the "non-local" url -- i.e. the _default_ vhost.)


keola27

@comcast.net
Sorry I forgot to add that netequalizer is setup on 192.168.10.5, this is the system with the iptables -t nat -A PREROUTING -s 192.168.10.55 -p tcp --dport 80 -j DNAT --to 192.168.10.2:80

the Apache server 192.168.10.2 is a whole different system.


clarknova

join:2010-02-23
Grande Prairie, AB
kudos:7
Reviews:
·TekSavvy DSL
Yes, but cramer's point stands. Does the client have to cross the bridge to talk to the server? If not, then your rule will never see the packet. If so, then you want to REDIRECT, not NAT.

NAT is for routers, not bridges.
--
db