On Mon, 2003-08-18 at 09:45, Simran Hansrai wrote: > Hi Guys, > > I am trying to forward port 8080 on my redhat 8.0 box to port 80 on my > solaris box and I have done the following so far: > > Made sure that I have a "1" in my /proc/sys/net/ipv4/ip_forward file > > and issued the following command: > > iptables -A PREROUTING -t nat -p tcp -d 192.168.0.7 --dport 8080 -j > DNAT --to 192.168.0.5:80 > > I have made sure that apache is running on 192.168.0.5:80 by directly access > the site. But when I try and access it through: http://192.168.0.7:8080 I > am unable to bring anything up.
Assuming your clients are on the same network segment, this won't work without also performing SNAT. By default, your routing tables dictate that all local LAN traffic gets sent directly, rather than through the default route. This means that any return traffic from the server to the client will be sent straight back to the client, rather than through the "forwarder" box. As far as your client goes, it's expecting to see a SYN/ACK return packet from 192.168.0.7, not 192.168.0.5. ## Example traffic: Client (192.168.0.10) sends packet to 192.168.0.7:8080 (source 192.168.0.10:<high port>, destination 192.168.0.7:8080) RedHat box forwards packet (DNAT) to Solaris server (source 192.168.0.10:<high port>, destination 192.168.0.5:80) Solaris box receives packet, sends response to Client (source 192.168.0.5:80, destination 192.168.0.10:<high port>) ## The Client is going to see the packet and drop it. Here's what you want to happen: Client (192.168.0.10) sends packet to 192.168.0.7:8080 (source 192.168.0.10:<high port>, destination 192.168.0.7:8080) RedHat box forwards packet (DNAT & SNAT) to Solaris server (source 192.168.0.7:<high port>, destination 192.168.0.5:80) Solaris box receives packet, sends response to Client (source 192.168.0.5:80, destination 192.168.0.7:<high port>) Redhat box reverses translation (DNAT & SNAT), forwards packet to Client (source 192.168.0.7:8080, destination 192.168.0.10:<high port>) Hope this makes sense. I run into this situation routinely, this is what some refer to as "reflection". Your forwarder keeps state while storing the DNAT/SNAT information in the translation tables. -- Jason Dixon, RHCE DixonGroup Consulting http://www.dixongroup.net -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
