Re: [CentOS] Forward http traffic
On 8/1/2014 8:28 μμ, Les Mikesell wrote: > The concept doesn't even make sense for TCP connections where the > stack requires acks and sequencing. Are you trying to bridge to a > capture device or something? Thank you all for your enlightening feedback, which helped me better understand my situation. I can see that in fact I can do with a forward proxy (and not use iptables at all). The goal is to transfer data from a data capture device (which incorporates a web server) lying on a private subnet (without NAT) to various destinations. I now understand that forwarding identical traffic using iptables to such destinations (even if it was possible) would not be the right way. The device can be instructed to send data via http to whatever destinations via a "local" http forward proxy (which has a public IP address but can be accessed from the private subnet). Case closed. Thank you all again, Nick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On Wed, Jan 8, 2014 at 1:34 PM, Brian Miller wrote: > >> that doesn't make any sense. >> >> a SYN packet comes in, is forwarded to serverA and serverB >> >> both servers reply with an 'ack' man, is the client tcp stack going >> to be confused! > > > He didn't say anything about both servers replying, only that he wanted > to mirror all port 80 traffic. Maybe he's trying to develop a protocol > specific IDS, or maybe he wants to build some sort of OOB transaction > log of his HTTP traffic. But if you are going to do that, you probably wouldn't need (or want) the IP addresses to be modified in the packets - you'd make it work at layer 2 and use a switch with a monitor port (or for lower bandwidth, an old fashioned hub) to fan out copies of the packets. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On Wed, 2014-01-08 at 11:23 -0800, John R Pierce wrote: > that doesn't make any sense. > > a SYN packet comes in, is forwarded to serverA and serverB > > both servers reply with an 'ack' man, is the client tcp stack going > to be confused! He didn't say anything about both servers replying, only that he wanted to mirror all port 80 traffic. Maybe he's trying to develop a protocol specific IDS, or maybe he wants to build some sort of OOB transaction log of his HTTP traffic. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On 1/8/2014 5:02 AM, Nikolaos Milas wrote: > Actually, I don't want load balancing; I want incoming http traffic (to > port 8080) to be forwarded to*ALL* defined target IP addresses. that doesn't make any sense. a SYN packet comes in, is forwarded to serverA and serverB both servers reply with an 'ack' man, is the client tcp stack going to be confused! -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On 01/08/2014 11:32 AM, Darr247 wrote: > On 2014-01-08 8:02 AM, Nikolaos Milas wrote: >> Actually, I don't want load balancing; I want incoming http traffic >> (to port 8080) to be forwarded to *ALL* defined target IP addresses. > Sometimes the correct answer is, "you can't do that." :) > > You can talk TO port 80 on all the defined target IP addresses, but not > FROM port 8080 on a single IP address. Please explain how you do that with iptables. Thanks. > > You could define a different outside port to forward to port 80 on each > internal IP address, though. > e.g. > forward 8081 to 80 on machine1 > forward 8082 to 80 on machine2 > forward 8083 to 80 on machine3 > forward 8084 to 80 on machine4 > forward 8085 to 80 on machine5 > et cetera > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On Wed, Jan 8, 2014 at 11:50 AM, Joseph Spenner wrote: > >> Actually, I don't want load balancing; I want incoming http traffic >> (to port 8080) to be forwarded to *ALL* defined target IP addresses. >> > > What is the goal (other than forward 1 request to 2 servers)? > It would kinda be a mess, since each server would reply to the request(s). > Are you trying to have a pair of web servers sync'd up identically for > disaster / redundancy purposes? The concept doesn't even make sense for TCP connections where the stack requires acks and sequencing. Are you trying to bridge to a capture device or something? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
- "Nikolaos Milas" escreveu: > De: "Nikolaos Milas" > Para: "CentOS mailing list" > Enviadas: Quarta-feira, 8 de Janeiro de 2014 11:02:48 (GMT-0300) Auto-Detected > Assunto: Re: [CentOS] Forward http traffic > > On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote: > > > Well, I had only used with a "range". Maybe you can take a look on a > > software load-balancer, like haproxy, or use something like nginx. > > Then forward to the load-balancer instead to the servers. > > Thanks, > > Actually, I don't want load balancing; I want incoming http traffic > (to port 8080) to be forwarded to *ALL* defined target IP addresses. > What is the goal (other than forward 1 request to 2 servers)? It would kinda be a mess, since each server would reply to the request(s). Are you trying to have a pair of web servers sync'd up identically for disaster / redundancy purposes? == If life gives you lemons, keep them-- because hey.. free lemons. "~heart~ Sticker" fixer: http://microflush.org/stuff/stickers/heartFix.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On 2014-01-08 8:02 AM, Nikolaos Milas wrote: > Actually, I don't want load balancing; I want incoming http traffic > (to port 8080) to be forwarded to *ALL* defined target IP addresses. Sometimes the correct answer is, "you can't do that." :) You can talk TO port 80 on all the defined target IP addresses, but not FROM port 8080 on a single IP address. You could define a different outside port to forward to port 80 on each internal IP address, though. e.g. forward 8081 to 80 on machine1 forward 8082 to 80 on machine2 forward 8083 to 80 on machine3 forward 8084 to 80 on machine4 forward 8085 to 80 on machine5 et cetera ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
From: Nikolaos Milas > Actually, I don't want load balancing; I want incoming http traffic (to > port 8080) to be forwarded to *ALL* defined target IP addresses. Could you describe the traffic exchange you expect...? 1. http request to 8080. 2. request is forwarded to n servers on 80. 3. n servers give n answers to the firewall/proxy. 4. 1 request and n answers...? JD ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
- "Nikolaos Milas" escreveu: > De: "Nikolaos Milas" > Para: "CentOS mailing list" > Enviadas: Quarta-feira, 8 de Janeiro de 2014 11:02:48 (GMT-0300) Auto-Detected > Assunto: Re: [CentOS] Forward http traffic > > On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote: > > > Well, I had only used with a "range". Maybe you can take a look on a > > software load-balancer, like haproxy, or use something like nginx. > > Then forward to the load-balancer instead to the servers. > > Thanks, > > Actually, I don't want load balancing; I want incoming http traffic > (to port 8080) to be forwarded to *ALL* defined target IP addresses. > Well, Maybe if you can explain more what you want. If you forward this to *ALL* servers, all will answer the request, and then from what server you will send the answer to the client? If the software uses some session control how it´ll be done? As each server can create an unique session control. Sorry, but I didn´t understand what you are trying to do :D Antonio. -- Antonio da Silva Martins Jr. Analista de Suporte NPD - Núcleo de Processamento de Dados UEM - Universidade Estadual de Maringá email: asmart...@uem.br fone: +55 (44) 3011-4015 / 3011-4411 inoc-dba: 263076*100 "Real Programmers don’t need comments — the code is obvious." -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On 8/1/2014 11:54 πμ, Antonio da Silva Martins Junior wrote: > Well, I had only used with a "range". Maybe you can take a look on a > software load-balancer, like haproxy, or use something like nginx. Then > forward to the load-balancer instead to the servers. Thanks, Actually, I don't want load balancing; I want incoming http traffic (to port 8080) to be forwarded to *ALL* defined target IP addresses. ...But I still don't know if this is possible with iptables. I hope someone here can provide more info. I am not sure if haproxy or nginx can be used to simply forward all inbound traffic to a number of public IP Addresses (anywhere on the Internet) at the same time, as this is a very special scenario: it is different both fom a forward proxy and from a reverse proxy -with or without load-balancing- (which is usually implemented with such software). If, however, it is feasible, I would be interested to know which is the directive for this feature in the respective software (so I can investigate further). Best regards, Nick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
- "Nikolaos Milas" escreveu: > De: "Nikolaos Milas" > Para: "CentOS mailing list" > Enviadas: Quarta-feira, 8 de Janeiro de 2014 6:43:16 (GMT-0300) Auto-Detected > Assunto: Re: [CentOS] Forward http traffic > > On 7/1/2014 6:19 μμ, Antonio da Silva Martins Junior wrote: > > > If you put it that way only xxx will receive packets, to balance > betwin both of them > > you will need this: > > > > -A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT > > --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80 > > Thank you, > > According to "man iptables", this defines an inclusive *range*. Yet, I > don't want a range, but two (or more) distinct ip addresses. How can > this be done? > Humm... Well, I had only used with a "range". Maybe you can take a look on a software load-balancer, like haproxy, or use something like nginx. Then forward to the load-balancer instead to the servers. Att., Antonio. -- Antonio da Silva Martins Jr. Analista de Suporte NPD - Núcleo de Processamento de Dados UEM - Universidade Estadual de Maringá email: asmart...@uem.br fone: +55 (44) 3011-4015 / 3011-4411 inoc-dba: 263076*100 "Real Programmers don’t need comments — the code is obvious." -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On 7/1/2014 6:19 μμ, Antonio da Silva Martins Junior wrote: > If you put it that way only xxx will receive packets, to balance betwin > both of them > you will need this: > > -A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT > --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80 Thank you, According to "man iptables", this defines an inclusive *range*. Yet, I don't want a range, but two (or more) distinct ip addresses. How can this be done? Thanks, Nick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
- "Nikolaos Milas" escreveu: > De: "Nikolaos Milas" > Para: centos@centos.org > Enviadas: Terça-feira, 7 de Janeiro de 2014 10:28:33 (GMT-0300) Auto-Detected > Assunto: [CentOS] Forward http traffic > > Hello, > > On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables): > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p > > tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p > > tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > > Now, I want to forward all http traffic coming in from > 10.250.250.0/24, > at local port 8080, to 2 particular IP Addresses (port 80). Is it > enough > to prepend (to the above) the following: > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT > --to-destination xxx.xxx.xxx.xxx:80 > -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT > --to-destination yyy.yyy.yyy.yyy:80 > COMMIT > > ...? > > Please advise! > > Thanks in advance, > Nick Hi Nick, If you put it that way only xxx will receive packets, to balance betwin both of them you will need this: -A PREROUTING -s 10.250.250.0/24 -p tcp -m tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy:80 Hope this helps, Att., Antonio. -- Antonio da Silva Martins Jr. Analista de Suporte NPD - Núcleo de Processamento de Dados UEM - Universidade Estadual de Maringá email: asmart...@uem.br fone: +55 (44) 3011-4015 / 3011-4411 inoc-dba: 263076*100 "Real Programmers don’t need comments — the code is obvious." -- Esta mensagem foi verificada pelo sistema de antivirus e acredita-se estar livre de perigo. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
Am 07.01.2014 um 15:01 schrieb Vipul Agarwal : > On Tue, Jan 7, 2014 at 12:28 PM, Nikolaos Milas wrote: > >> Hello, >> >> On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables): >> >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> :RH-Firewall-1-INPUT - [0:0] >> -A INPUT -j RH-Firewall-1-INPUT >> -A FORWARD -j RH-Firewall-1-INPUT >> -A RH-Firewall-1-INPUT -i lo -j ACCEPT >> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT >> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p >> tcp --dport 22 -j ACCEPT >> -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p >> tcp --dport 80 -j ACCEPT >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> COMMIT >> >> Now, I want to forward all http traffic coming in from 10.250.250.0/24, >> at local port 8080, to 2 particular IP Addresses (port 80). Is it enough >> to prepend (to the above) the following: >> >> *nat >> :PREROUTING ACCEPT [0:0] >> :POSTROUTING ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT >> --to-destination xxx.xxx.xxx.xxx:80 >> -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT >> --to-destination yyy.yyy.yyy.yyy:80 what is the criteria to distinguish the packets for xxx and yyy? -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Forward http traffic
On Tue, Jan 7, 2014 at 12:28 PM, Nikolaos Milas wrote: > Hello, > > On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables): > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p > tcp --dport 22 -j ACCEPT > -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p > tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > COMMIT > > Now, I want to forward all http traffic coming in from 10.250.250.0/24, > at local port 8080, to 2 particular IP Addresses (port 80). Is it enough > to prepend (to the above) the following: > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT > --to-destination xxx.xxx.xxx.xxx:80 > -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT > --to-destination yyy.yyy.yyy.yyy:80 > COMMIT > > ...? > > Please advise! > > Thanks in advance, > Nick > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Hi NIck, you need to MASQUERADE the packets in the POSTROUTING chain. Something like the following $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE I'm just not sure about if forwarding the packets to two separate hosts will work. I haven't tried that myself. It'll be good to know if this works for you. Many thanks -Vipul ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Forward http traffic
Hello, On CentOS 6.5 x86_64 I have (/etc/sysconfig/iptables): *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -s 10.10.10.0/24 -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -s 10.10.10.0/24 -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Now, I want to forward all http traffic coming in from 10.250.250.0/24, at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend (to the above) the following: *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80 -A PREROUTING -s 10.250.250.0/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80 COMMIT ...? Please advise! Thanks in advance, Nick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
