I would like do some NAT
in iptables
. So that, all the packets coming to 192.168.12.87
and port 80
will be forwarded to 192.168.12.77
port 80
.
How to do this with iptables?
Or
Any other ways to achieve the same?
I would like do some NAT
in iptables
. So that, all the packets coming to 192.168.12.87
and port 80
will be forwarded to 192.168.12.77
port 80
.
How to do this with iptables?
Or
Any other ways to achieve the same?
These rules should work, assuming that iptables
is running on server 192.168.12.87
:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77:80
iptables -t nat -A POSTROUTING -p tcp -d 192.168.12.77 --dport 80 -j SNAT --to-source 192.168.12.87
You have to DNAT incoming traffic on port 80, but you will also need to SNAT the traffic back.
Alternative (and best approach IMHO) :
Depending on what your Web Server is (Apache, NGinx) you should consider an HTTP Proxy on your front-end server (192.168.12.87) :
mod_proxy (Apache)
proxy_pass (NGinx)
The reason a seemingly obvious iptables -t nat -A PREROUTING -d 192.168.12.87 -p tcp --dport 80 -j DNAT --to-destination 192.168.12.77
will not work is how the return packets will be routed.
You can set up rules that will cause the packets send to 192.168.12.87 to simply be NATted to 192.168.12.77, but 192.168.12.77 will then send replies directly back to the client. Those replies will not go through the host where your iptables rule is doing NAT, hence the packets in one direction are translated, but packets in the other direction are not.
There are three approaches to solving this problem.
iptables -t NAT -A POSTROUTING -d 192.168.12.77 -p tcp --dport 80 -j SNAT --to-source 192.168.12.87
iptables -t nat -A OUTPUT -p tcp --sport 80 -j SNAT --to-source 192.168.12.87
Each of those three solutions have drawbacks, so you need to carefully consider, if you really need to do this particular forwarding.
Of the three approaches I think the first is the one, which is most likely to work. So if you don't need to know the client IP addresses, that is the one I would recommend.
You can also choose to forget about NAT altogether and not try to solve the problem on MAC or IP layer. You can go all the way up to the HTTP layer and look for a solution there. In that case the solution you will find is an HTTP proxy. If you install an HTTP proxy on 192.168.12.87 and configure it appropriately, you can have it forward the requests to 192.168.12.77 and forward the answers back. Additionally it can insert an X-Forwarded-For header preserving the original client IP. The server on 192.168.12.77 then need to be configured to trust the X-Forwarded-For header from 192.168.12.87.