* Markus Kolb ([EMAIL PROTECTED]) [031020 12:47]:
> Hello,
>
> how can I setup a forwarding rule with ipchains that a connect to host A
> is redirected to the Apache-SSL webserver listening on host B.
>
> I want to have a transparent forwarding. The user should enter the
> address from host A in his browser and the webserver from host B should
> answer the requests.
>
> The webserver on host B is listening to all addresses at the specific
> port 423.
>
> So at the moment I try with
> ipmasqadm autofw -A -v -r tcp 423 423 -h "${IP from host B}"
> on host A.
>
> If I try to connect https://IP_host_A:423/ I get a connection timeout.
>
> I've just dumped the traffic with ethereal.
> First there is an ICMP Redirect.
> The browser sends a SYN request to the right host B from port 2090 to 423.
> Host B answers with a SYN ACK to browser host from 423 to 2090.
> After this browser sends a reset from 2090 to 423 at host B.It sounds like you're trying to do this on a host which is not a router between the browser host and host B. This type of setup will only work if host A can rewrite addresses in the packets in both directions. This means the returning packets from host B to the browser must pass through host A so that they can be rewritten with host A as the source address. As far as browser is concerned, it's trying to set up a connection to Host A, which is not responding. Host B is sending it a SYNACK, but it doesn't care about Host B -- it never sent a SYN to host B. So it sends B a RST, same as it would for any other host sending it a random SYNACK that it knows nothing about. It sounds like you might have to re-route your network a little bit. It would probably be easier to forget the NAT and just try something like redir (a socket redirector) instead. good times, Vineet -- http://www.doorstop.net/ -- "Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." -- Albert Einstein
signature.asc
Description: Digital signature
