Redirect outbound traffic with IPTABLEs

Hello All,

From what I have read, I can see that what I want to do is possible,
but not quite sure how to implement it.

I want to route all outbound HTTP traffic on 8080 and HTTPS 8443 to
192.168.15.113 gateway (load balancer) and all other traffic to
192.168.15.1.

What rules would I create and can yout ell me briefly why you shose the
options you did. I cannot determine why I would use PREROUTING along
with DNAT, or whatever.

Thanks in advance.

On 2006-05-01, TravisT <(E-Mail Removed)> wrote:
> I want to route all outbound HTTP traffic on 8080 and HTTPS 8443 to
> 192.168.15.113 gateway (load balancer) and all other traffic to
> 192.168.15.1.

Outbound? So, traffic that came from your machine, towards external
IPs?

(very quickly and without too much checking):

iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8080 \
--to 192.168.15.113
iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8443 \
--to 192.168.15.1

> I cannot determine why I would use PREROUTING along
> with DNAT, or whatever.

Because that's the way to do it.

Davide

--
Sanity is like money; you should just have enough to get by. Any more
and you turn into a freak. --rone

Davide Bianchi wrote:
> On 2006-05-01, TravisT <(E-Mail Removed)> wrote:
> > I want to route all outbound HTTP traffic on 8080 and HTTPS 8443 to
> > 192.168.15.113 gateway (load balancer) and all other traffic to
> > 192.168.15.1.
>
> Outbound? So, traffic that came from your machine, towards external
> IPs?
>
> (very quickly and without too much checking):
>
> iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8080 \
> --to 192.168.15.113
> iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8443 \
> --to 192.168.15.1
>

There are numerous syntax errors hwere that I was not able to resolve.

I changesthe -a to a -A and I can;t use --dport unless I specify -p
tcp, but I think there is more missing. Still won't work.


> > I cannot determine why I would use PREROUTING along
> > with DNAT, or whatever.
>
> Because that's the way to do it.
>
> Davide
>
> --
> Sanity is like money; you should just have enough to get by. Any more
> and you turn into a freak. --rone

On 1 May 2006 11:40:15 -0700, "TravisT" <(E-Mail Removed)> wrote:

>
>Davide Bianchi wrote:
>> On 2006-05-01, TravisT <(E-Mail Removed)> wrote:
>> > I want to route all outbound HTTP traffic on 8080 and HTTPS 8443 to
>> > 192.168.15.113 gateway (load balancer) and all other traffic to
>> > 192.168.15.1.
>>
>> Outbound? So, traffic that came from your machine, towards external
>> IPs?
>>
>> (very quickly and without too much checking):
>>
>> iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8080 \
>> --to 192.168.15.113
>> iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8443 \
>> --to 192.168.15.1
>>
>
>There are numerous syntax errors hwere that I was not able to resolve.

iptables -t nat -A PREROUTING ...

Grant.
--
Memory fault -- brain fried

In article <(E-Mail Removed) >,
Davide Bianchi <(E-Mail Removed)> wrote:
:On 2006-05-01, TravisT <(E-Mail Removed)> wrote:
:> I want to route all outbound HTTP traffic on 8080 and HTTPS 8443 to
:> 192.168.15.113 gateway (load balancer) and all other traffic to
:> 192.168.15.1.
:
:Outbound? So, traffic that came from your machine, towards external
:IPs?
:
very quickly and without too much checking):
:
:iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8080 \
: --to 192.168.15.113
:iptables -a PREROUTING -o <yourexternalinterfacehere> --dport 8443 \
: --to 192.168.15.1

Ummm, no. Unless I completely misunderstand his intent, the OP doesn't
want to change the destination address, just the outgoing gateway.
That's a job for Policy Routing, not iptables. See the manpage for the
"ip" command. You're probably going to need help that I don't have
enough knowledge to give. A Google search for

linux "policy routing"

yields a lot leads. Here's one that looks promising:

http://www.linux.com/howtos/Adv-Rout...rtc.rpdb.shtml

--
Bob Nichols AT comcast.net I am "RNichols42"

No, I am only changing the gateay for certain traffic. What was said
above I finally got to work.