Forward http traffic to another ip address with iptables

Question

We want to forward all http traffic to another IP address on an Amazon EC2 stock Linux machine (CentOS based). I know how to do this with proxy rules and apache, but I was assuming iptables would be a much faster solution (perhaps not!)

Commands

sudo iptables -P INPUT ACCEPT
sudo iptables -F
sudo iptables -A PREROUTING -t nat -p tcp -i eth0 --dport 80 -j DNAT --to 208.68.208.81:80
sudo iptables -A FORWARD -p tcp -d 208.68.208.81 --dport 80 -j ACCEPT

iptables -t nat -L -v -n

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:208.68.208.81:80

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 11 packets, 820 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 11 packets, 820 bytes)
 pkts bytes target     prot opt in     out     source               destination

iptables -L -v -n

Chain INPUT (policy ACCEPT 202 packets, 15705 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            208.68.208.81       tcp dpt:80

Chain OUTPUT (policy ACCEPT 145 packets, 13747 bytes)
 pkts bytes target     prot opt in     out     source               destination

http://208.68.208.81 into a web browser works, but when I try the ip address of the EC2 machine with this config I get a timeout. I do see some packets show up with watch -d iptables -t nat -L -v -n

Help!

Update: added -i eth0 to PREROUTING rule

Can you reach `208.68.208.81` from the EC2 machine using something like curl/wget/lynx? — Zoredache, May 02 '12 at 20:02
Thanks for the tip, I did not think to test this, however `wget http://208.68.208.81` works as expected — Lightbeard, May 02 '12 at 21:21
Can you provide the output of: `iptables-save`, `ip addr sh`, `ip route sh` — pepoluan, Jan 22 '15 at 10:06

Peter Green · Accepted Answer · 2016-08-08T18:32:45.773

There are three potential problems I see (contary to the other answer I don't see anything that would cause a "loop" even in the unedited version of your question).

IP forwarding must be enabled.
After being natted and placed back on the network the packet may fall victim to source address filtering as it looks very much like a spoofed packet.
Responses to packets that go through a NAT must go through the same NAT so the reverse translation can be performed. Otherwise the client will get a response with the wrong source IP/port which it is likely to drop (if it has not already been dropped by reverse path filtering).

You can work arround points 2 and 3 by using a SNAT or MASQURADE rule in addition to the DNAT but if you do that then you lose the original source IP of the traffic. That will make abuse control very difficult.

Another soloution to points 2 and 3 would be to set up a VPN between the two servers. Then use DNAT to forward traffic over the VPN and source IP based routing to bring the replies back to the NAT.

Falcon Momot · Answer 2 · 2012-05-02T23:15:52.590

1

You have created a loop. Make sure you add the in interface to the PREROUTING rule (eg. -i eth1 or whatever).

You may also need a rule like this:

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

  45M 3723M MASQUERADE  all  --  *     WAN_IF  0.0.0.0/0            0.0.0.0/0

Otherwise the packets will go directly from the machine they were forwarded to back to the client, I think, which will not be expecting them from that host.

edited May 02 '12 at 23:15

answered May 02 '12 at 20:07

Falcon Momot

24,975
13
61
92

I added `-i eth0` and updated all the listings in my post, it didn't seem to help however – Lightbeard May 02 '12 at 21:25
is the machine configured to forward packets in `/proc/sys/net/ipv4/conf/all/forwarding`? You can also replace all with an interface name, but it has to contain 1 for the unit to actually forward anything. Also, can you reach 208.68.208.81 directly from the internet? If not, you may also need an SNAT rule to actually do NAT. For what you have now, the request goes through the firewall+NAT, but the reply goes back direct (well, addressed to the client, anyway). – Falcon Momot May 02 '12 at 23:08
Added one more thing to the answer based on my setup which does a similar thing (redirects botnet attacks to a honeypot). – Falcon Momot May 02 '12 at 23:16
On what do you base the claim that he is creating a loop. – Peter Green Aug 08 '16 at 17:43

score 1 · Answer 3 · answered May 02 '12 at 21:47

1

You may use rinetd to simply forward your ip traffic.

answered May 02 '12 at 21:47

zfou

183
1
5

Forward http traffic to another ip address with iptables

3 Answers3

Linked