I want make a system that has a few subdomains. I set each subdomain to IP address using DNS.
I used random IP addresses for the question
165.93.198.34 x.mydomain.com (Which is actually 165.93.198.220:8080)
165.93.198.38 z.mydomain.com (Which is actually 165.93.198.220:81)
165.93.198.44 c.mydomain.com (Which is actually 165.93.198.220:443)
165.93.198.220 mydomain.com
Using iptables, when a request comes to IP address 165.93.198.34
I want it to be answered from 165.93.198.220:8080
.
iptables -t nat -A PREROUTING -p tcp -d 165.93.198.34 --jump DNAT --to-destination 165.93.198.220:8080
But I couldn't make the prerouting work.
[root@static ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:down
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:81
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@static ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere 165.93.198.34-iprovider.com to:165.93.198.220:8080
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
What am I doing wrong?
If your target IP (165.93.198.220) is another system in the network
add an ACCEPT
rule in the FORWARD
chain like this:
iptables -A FORWARD -p tcp -d 165.93.198.220 --dport 8080 -j ACCEPT
also check if ip forward is enabled:
sysctl net.ipv4.ip_forward
if it is not set to 1
, enable it on the fly with:
sysctl -w net.ipv4.ip_forward=1
or
echo 1 > /proc/sys/net/ipv4/ip_forward
to make it persistent for reboots edit /etc/sysctl.conf
and add the line:
net.ipv4.ip_forward = 1
If your target IP (165.93.198.220) is on the local machine
add an ACCEPT
rule in the INPUT
chain like this:
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments