Iptables and redirect to internal server?

R

Robert2016-05-13 17:02:21

Denver

Robert, 2016-05-13 17:02:21

Good afternoon. It is necessary that all devices connected to one router, when requesting a specific ip, go to the site that is located on the machine. I installed Openwrt on the router and specified the rule iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 -d "IP" --dport 80 -j DNAT --to-destination 192.168.1.100, raised Denwer and added the site at the address Z:\home\192.168.1.100\www, the firewall is turned off, even indicated the rule to open the 80th port on the machine, but in response, silence. When you go to 192.168.1.100, the site opens, according to the required IP it says that the site is unavailable.
The most interesting thing is that iptables -t nat -vnL shows that one packet passes and that's it. (Well, if I understand him correctly =))

[email protected]:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 572 packets, 31858 bytes)
 pkts bytes target     prot opt in     out     source               destination
    4   208 DNAT       tcp  --  *      *       192.168.1.0/24       81.19.76.10          tcp dpt:80 to:192.168.1.100
   20  1040 DNAT       tcp  --  *      *       192.168.1.0/24       91.228.155.94        tcp dpt:80 to:192.168.1.100
 1410 93511 delegate_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 183 packets, 11710 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 202 packets, 13110 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 10 packets, 520 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1345 75377 delegate_postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain delegate_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1345 75377 postrouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
   24  1248 zone_lan_postrouting  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
 1321 74129 zone_wan_postrouting  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain delegate_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1410 93511 prerouting_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
 1365 90796 zone_lan_prerouting  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
   45  2715 zone_wan_prerouting  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0

Chain postrouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain postrouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain prerouting_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain zone_lan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   24  1248 postrouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */

Chain zone_lan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1365 90796 prerouting_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */
    0     0 DNAT       tcp  --  *      *       192.168.1.0/24       91.228.155.94        tcp dpt:80 to:192.168.1.100

Chain zone_wan_postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1321 74129 postrouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for postrouting */
 1321 74129 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_prerouting (1 references)
 pkts bytes target     prot opt in     out     source               destination
   45  2715 prerouting_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for prerouting */

PS I tried to do this on a keenetic router with a slightly optimized standard firmware, (which one I won’t say, I don’t remember), everything worked in years.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

L

ldv, 2016-05-13
@rob_01

You change the destination address in the packet, but leave the source address unchanged. The server receives the packet and sends a response not to the router, but directly to the client computer. You need to add a rule like

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.100/32 -p tcp -m tcp --dport 80 -j MASQUERADE