DNAT using Iptables Rumi, January 12, 2009 Before I start I DNAT, I’d better say what it does- The DNAT target is used to do Destination Network Address Translation, which means that it is used to rewrite the Destination IP address of a packet. If a packet is matched, and this is the target of the rule, the packet, and all subsequent packets in the same stream will be translated, and then routed on to the correct device, host or network. This target can be extremely useful, for example,when you have a host running your web server inside a LAN, but no real IP to give it that will work on the Internet. You could then tell the firewall to forward all packets going to its own HTTP port, on to the real web server within the LAN. We may also specify a whole range of destination IP addresses, and the DNAT mechanism will choose the destination IP address at random for each stream. Hence, we will be able to deal with a kind of load balancing by doing this. Note that the DNAT target is only available within the PREROUTING and OUTPUT chains in the nat table, and any of the chains called upon from any of those listed chains. Note that chains containing DNAT targets may not be used from any other chains, such as the POSTROUTING chain. So, let’s see it in action. Here’s the scenerio- FIREWALL EXT INTERFACE: 65.222.35.249 FIREWALL INT INTERFACE: 192.168.0.248 WEB HOST: 192.168.0.5 Here’s the small little line to be added to /etc/sysconfig/iptables -A PREROUTING -p tcp -m tcp -d 65.222.35.249 –dport 80 -j DNAT –to-destination 192.168.0.5 Walla! it’s done. I assume 65.222.35.249 is a virtual IP on Ext eth and you want your visitors to view websites on 192.168.0.5 machine- which basically sits behind the firewall and you want to destination NAT through 65.222.35.249. Related Administrations Configurations (Linux)
Get rid of esm-apps while ubuntu updates September 15, 2023 If you ever encounter similar issue like below- Get more security updates through Ubuntu Pro with ‘esm-apps’ enabled: libavformat58 libavfilter7 ffmpeg mc sntp libswresample3 lynx-common libzmq5 fail2ban mc-data redis lynx libpostproc55 ntp ntpdate libgsasl7 redis-tools cpanminus libavcodec58 libavutil56 libavdevice58 libswscale5 libsdl2-2.0-0 libmysofa1 redis-server libavresample4 And don’t like to be financially… Read More
mynetworks issue! October 28, 2008 Need to allow the entire IPv-4 in postfix set-up? You should be crazy to do that 🙂 Anyway, here goes the net mask calculaitons, Related Read More
Nginx upstream timed out April 22, 2018 There are two main directives responsible for Nginx upstream timed out (110: Connection timed out) error: proxy_read_timeout – Defines a timeout for reading a response from the proxied server. Default is 60 seconds. location ~ ^/slow-proxy { proxy_read_timeout 180; # <— proxy_pass …; } * you can use proxy_read_timeout inside… Read More