iptables: IP alias and port forwarding

I can't figure out iptables and I don't know very much about networking and I'm really hoping that someone out there can help me.

I have a server with two ip addresses associated with it: 1.1.1.1 and 2.2.2.2

Running Ubuntu 10.04

Here is my ifconfig:

eth0      Link encap:Ethernet  HWaddr 00:16:3e:xx:xx:xx  
          inet addr:1.1.1.1  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          inet6 addr: xxxxxxxxxxxxxxxxxxxxxxxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8601280 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2520243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1736805563 (1.7 GB)  TX bytes:412953236 (412.9 MB)
          Interrupt:11 

eth0:0    Link encap:Ethernet  HWaddr 00:16:3e:xx:xx:xx  
          inet addr:2.2.2.2  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1216209 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1216209 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:13294196379 (13.2 GB)  TX bytes:13294196379 (13.2 GB)

Everything works fine: when I type 1.1.1.1 or 2.2.2.2 into the address bar of a browser, I get the default Apache2 page as expected.

Now, I have an application that runs in the browser which has a WebSocket connection over port 8000. I serve the page over port 80 (http) as usual using 1.1.1.1, and I have the WebSocket communicating behind the scenes with 2.2.2.2 over port 8000. Everything's fine.

Now I plug in my 3G modem which blocks port 8000. My WebSocket communication to 2.2.2.2 fails.

I want the WebSocket to communicate with 2.2.2.2 over port 80, but get the server to translate requests on 2.2.2.2:80 to 1.1.1.1:8000.

I found this: meteorserver dot org/installation/ (see section 6) but it didn't work ;( I also tried this: http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ but it gave me the following error:

ubuntu> sudo iptables -t nat -A PREROUTING -i eth0:0 -p tcp --dport 80 -j REDIRECT --to-port 8000
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).

Apparently IP aliases aren't supported ;( I tried putting eth0:0 in quotes and it still wouldn't work.

I'm completely stumped.


You're on the right track. You don't have to specify the "alias" input interface. From an iptables perspective the input interface is still eth0, even if the destination IP address is 2.2.2.2. Try this way instead:

iptables -t nat -A PREROUTING -i eth0 -d 2.2.2.2 -p tcp --dport 80 -j REDIRECT --to-port 8000

That should do what you're looking for.

Edit:

You want "eth0" in that command-- not "eth0:0" (which isn't legal). The physical interface the packet is entering on is "eth0", which is all iptables is concerned about.

Unless the protocol you're using is UDP-based you don't need a corresponding "-p udp" entry.

To see what's in your "PREROUTING" chain now, do an iptables -t nat -L. You can delete individual entries from the chain by using the iptables -t nat -D PREROUTING x where "x" is the sequential count of the entry in the chain you want to delete (the first one is "1", the second is "2", etc) as displayed by iptables -t nat -L.


Don't match on the device name. Try just matching based on the IP

sudo iptables -t nat -A PREROUTING --destination 2.2.2.2 -p tcp --dport 80 -j REDIRECT --to-port 8000