Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > iptables problem with port translation

Reply
Thread Tools Display Modes

iptables problem with port translation

 
 
jblumenkrantz@gmail.com
Guest
Posts: n/a

 
      10-30-2007, 06:08 PM
I'm having a very strange intermittent problem getting iptables to
work performing port address translation. I'm running a Tomcat web
server on my server on a non-priviledged port and trying to redirect
traffic from ports 80 and 443 to ports 8080 and 8443 respectively on
a virtual IP address:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --
dport 80 -j DNAT --to-destination #{ip}:8080
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --
dport 443 -j DNAT --to-destination #{ip}:8443

Generally speaking, everything works fine, unless I'm trying to
download large files (1MB+) in size, and then the connection will
freeze up from both the client's and server's perspective (both think
the connection is established, but all tcp traffic has ceased.) This
does not happen every time, or in the same point in the download, but
it only happens when iptables is performing the PAT, if I run Tomcat
as root and bind directly to 80 and 443 then the problem never occurs.
I've also noticed that it's less likely to occur while I'm running
tcpdump to monitor the traffic, this may be making the root cause less
likely to trigger. I've also observed via tcpdump that the client does
notice the pause and attempts to send TCP resets, but the server has
"gone quiet" at this point. The server is running CentOS 4.4 with
iptables 1.3.5. Anyone have any ideas what might be causing the
connection problems or how I can track this down?

Thanks in advance,
Jason Blumenkrantz
 
Reply With Quote
 
 
 
 
आशीष Ashish
Guest
Posts: n/a

 
      10-31-2007, 06:11 PM
(E-Mail Removed) wrote:

[...]

>
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --
> dport 80 -j DNAT --to-destination #{ip}:8080
> /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --
> dport 443 -j DNAT --to-destination #{ip}:8443
>

I've not tried your rules, but what about REDIRECTing instead of DNATing, hmm...

--
Ashish Shukla
http://wahjava.wordpress.com/
 
Reply With Quote
 
jblumenkrantz@gmail.com
Guest
Posts: n/a

 
      10-31-2007, 07:46 PM
If I REDIRECT instead of DNAT then I'd be taken to the primary address
rather than the virtual IP I have bound, so that unfortunately isn't
an option.
Thanks,
Jason
 
Reply With Quote
 
 
 
Reply

« Help Needed!!!! | Can't load conntract support for proto=2 »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Port Translation via iptables? d a v i d Linux Networking 1 04-19-2007 08:17 PM
tcp checksum after port translation Giacomo Linux Networking 0 09-14-2005 06:31 PM
port translation on same network gene bene Linux Networking 1 07-16-2004 10:26 PM
WIndows 2003 firewall port translation! KK Windows Networking 1 05-21-2004 08:24 PM
Port Address Translation Sherwin Windows Networking 8 01-06-2004 06:27 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11