TransWikia.com

IPtables as a reverse proxy

Server Fault Asked by ie. on November 4, 2021

I’m playing with iptables and trying to do quite simple task: forward traffic to port 8888 on my Ubuntu to another server located at IP 172.21.16.1 and port 5000.

In my environment I have a windows workstation. Ubuntu served by hyper-v. My windows workstation has several network interfaces including created by hyper-v. There the IP address assigned to 172.21.16.1. The Ubuntu has an IP 172.21.26.237.

I started simple web server on the windows workstation which listens the port 5000 for HTTP requests. If a open page http://172.21.16.1:5000 in Browser (does not matter, if it Ubuntu or Windows) I see expected output.

I checked several articles and it looks like it should be easy and straightforward. I executed the following commands:

sudo iptables -A PREROUTING -t nat -p tcp --dport 8888 -j DNAT --to-destination 172.21.16.1:5000
sudo iptables -A POSTROUTING -t nat -p tcp --dport 8888 -j SNAT --to-source 172.21.26.237

If I open the page http://172.21.26.237:8888/ from my Windows workstation – timeout.

What I’ve checked:

(1) sysctl net.ipv4.ip_forward returns net.ipv4.ip_forward = 1

(2) iptable-save gives the following content:

# Generated by iptables-save v1.8.4 on Sun Jul 19 20:15:37 2020
*filter
:INPUT ACCEPT [1066:122755]
:FORWARD ACCEPT [90:4680]
:OUTPUT ACCEPT [255:18156]
COMMIT
# Completed on Sun Jul 19 20:15:37 2020
# Generated by iptables-save v1.8.4 on Sun Jul 19 20:15:37 2020
*nat
:PREROUTING ACCEPT [233:25903]
:INPUT ACCEPT [198:18944]
:OUTPUT ACCEPT [23:1798]
:POSTROUTING ACCEPT [41:2734]
-A PREROUTING -p tcp -m tcp --dport 8888 -j DNAT --to-destination 172.21.16.1:5000
-A POSTROUTING -p tcp -m tcp --dport 8888 -j SNAT --to-source 172.21.26.237
COMMIT
# Completed on Sun Jul 19 20:15:37 2020

(3) Traces from tcpdump ..... port 8888:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:18:38.078418 IP (tos 0x0, ttl 128, id 35408, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63351 > 172.21.26.237.8888: Flags [S], cksum 0xa604 (correct), seq 2988342963, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:18:38.078566 IP (tos 0x0, ttl 128, id 35409, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63352 > 172.21.26.237.8888: Flags [S], cksum 0x04c0 (correct), seq 3168343356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:18:38.329143 IP (tos 0x0, ttl 128, id 35410, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63353 > 172.21.26.237.8888: Flags [S], cksum 0x58e7 (correct), seq 371877827, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:18:39.084897 IP (tos 0x0, ttl 128, id 35411, offset 0, flags [DF], proto TCP (6), length 52)

(4) Traces from tcpdump ..... port 5000:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
22:19:34.468908 IP (tos 0x0, ttl 127, id 35424, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63367 > 172.21.16.1.5000: Flags [S], cksum 0x09ca (correct), seq 3528594630, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:19:34.468992 IP (tos 0x0, ttl 127, id 35425, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63368 > 172.21.16.1.5000: Flags [S], cksum 0x3138 (correct), seq 561028665, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:19:34.729633 IP (tos 0x0, ttl 127, id 35426, offset 0, flags [DF], proto TCP (6), length 52)
    172.21.16.1.63369 > 172.21.16.1.5000: Flags [S], cksum 0xc4c0 (correct), seq 920253766, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:19:35.473332 IP (tos 0x0, ttl 127, id 35428, offset 0, flags [DF], proto TCP (6), length 52)

(5) And here is also output from curl -v url:8888 executed on windows:

> curl -v 172.21.26.237:8888
* Rebuilt URL to: 172.21.26.237:8888/
*   Trying 172.21.26.237...
* TCP_NODELAY set
* connect to 172.21.26.237 port 8888 failed: Timed out
* Failed to connect to 172.21.26.237 port 8888: Timed out
* Closing connection 0
curl: (7) Failed to connect to 172.21.26.237 port 8888: Timed out

Unfortunately, still have no clue.

One Answer

The DNAT looks good, but SNAT I think I'd go

-A POSTROUTING -p tcp -m tcp --dport 5000 -j SNAT --to-source 172.21.26.237

instead of

-A POSTROUTING -p tcp -m tcp --dport 8888 -j SNAT --to-source 172.21.26.237

I mean since PREROUTING changes the port from 8888 to 5000, it doesn't make sense to expect 8888 anywhere behind that stage.

Answered by kubanczyk on November 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP