Archive for the ‘iptables’ Category

Forwarding outgoing http requests to another server

Sunday, August 7th, 2011

In this article I’ll show iptables rule to forward outgoing http requests from one server to another. Both servers are single connected, in the same subnet and running Ubuntu with iptables. In my case I needed to forward or reroute outgoing http requests from one server to a server running Squid.

In the net you’ll find a lot of articles for dual connected servers (read gateways) on how to forward incoming traffic to the internal servers, or how to do port rewriting (forwarding a local port to another local port on the same server), or how to do transparent proxying and so on. My case is trivial: all outgoing http request should be forwarded to the server with Squid running in transparent mode. Nothing needs to be rewrited or changed in terms of source/destination/port.

  1. iptables -t nat -A OUTPUT -p tcp –dport 80 -j DNAT –to-destination 1.2.3.4:3128

where 1.2.3.4 is the server running Squid and 3128 is the port it’s listening on.

On the server running Squid make sure that it’s in transparent mode:

  1. #cat /etc/squid/squid.conf | grep transparent
  2. http_port 3128 transparent

I didn’t realize OUTPUT could be used with DNAT, but guess what — it works!

Selective NAT with iptables

Thursday, January 6th, 2011

Here is a quick note on how to exclude one particular network from the NAT while the rest to be remained NATed. Done on Ubuntu with iptables running.

  1. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE

In case you need one more network to be excluded:

  1. iptables -t nat -A POSTROUTING -o eth0 -d 192.168.0.0/16 -j RETURN
  2. iptables -t nat -A POSTROUTING -o eth0 ! -d 10.0.0.0/8 -j MASQUERADE