I can't figure out iptables and I don't know very much about networking and I'm really hoping that someone out there can help me.
I have a server with two ip addresses associated with it: 1.1.1.1 and 2.2.2.2
Running Ubuntu 10.04
Here is my ifconfig:
eth0 Link encap:Ethernet HWaddr 00:16:3e:xx:xx:xx
inet addr:1.1.1.1 Bcast:xxx.xxx.xxx.xxx Mask:xxx.xxx.xxx.xxx
inet6 addr: xxxxxxxxxxxxxxxxxxxxxxxx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8601280 errors:0 dropped:0 overruns:0 frame:0
TX packets:2520243 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1736805563 (1.7 GB) TX bytes:412953236 (412.9 MB)
Interrupt:11
eth0:0 Link encap:Ethernet HWaddr 00:16:3e:xx:xx:xx
inet addr:2.2.2.2 Bcast:xxx.xxx.xxx.xxx Mask:xxx.xxx.xxx.xxx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:11
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1216209 errors:0 dropped:0 overruns:0 frame:0
TX packets:1216209 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13294196379 (13.2 GB) TX bytes:13294196379 (13.2 GB)
Everything works fine: when I type 1.1.1.1 or 2.2.2.2 into the address bar of a browser, I get the default Apache2 page as expected.
Now, I have an application that runs in the browser which has a WebSocket connection over port 8000. I serve the page over port 80 (http) as usual using 1.1.1.1, and I have the WebSocket communicating behind the scenes with 2.2.2.2 over port 8000. Everything's fine.
Now I plug in my 3G modem which blocks port 8000. My WebSocket communication to 2.2.2.2 fails.
I want the WebSocket to communicate with 2.2.2.2 over port 80, but get the server to translate requests on 2.2.2.2:80 to 1.1.1.1:8000.
I found this: meteorserver dot org/installation/ (see section 6) but it didn't work ;( I also tried this: http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ but it gave me the following error:
ubuntu> sudo iptables -t nat -A PREROUTING -i eth0:0 -p tcp --dport 80 -j REDIRECT --to-port 8000
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Apparently IP aliases aren't supported ;( I tried putting eth0:0 in quotes and it still wouldn't work.
I'm completely stumped.
You're on the right track. You don't have to specify the "alias" input interface. From an iptables perspective the input interface is still eth0, even if the destination IP address is 2.2.2.2. Try this way instead:
That should do what you're looking for.
Edit:
You want "eth0" in that command-- not "eth0:0" (which isn't legal). The physical interface the packet is entering on is "eth0", which is all iptables is concerned about.
Unless the protocol you're using is UDP-based you don't need a corresponding "-p udp" entry.
To see what's in your "PREROUTING" chain now, do an
iptables -t nat -L
. You can delete individual entries from the chain by using theiptables -t nat -D PREROUTING x
where "x" is the sequential count of the entry in the chain you want to delete (the first one is "1", the second is "2", etc) as displayed byiptables -t nat -L
.Don't match on the device name. Try just matching based on the IP
I'll answer your question with other question :D
Check this out:
Linux iptables: Port Redirection Example
Another approach : use virtual interfaces (macvlan).
Ip aliases are a higher level trick and iptables will see just one interface (the real one). You can avoid the problem using directly ip ranges as suggested.
With vlan interfaces you shouldnt have any problem with netfilter/iptables as they behave like normal interfaces at the kernel level. To add a new one (you dont need to specify the mac) :
ip link add link name_real_if address mac:virt:if name_virt_if type macvlan
This way you work directly at osi2, indeed you could use them in bridges configurations, make firewall/qos rules idependently of ip assignments...
It took me a while to find this solution, Id always used ifconfig eth0:0, its fast and usefull but its maybe time to migrate to iproute2.