0

I have a service setup that redirects after a succesfull login (Couchbase), but the IP it transfers to is an local one, where the client that is connecting to cannot reach.

How can I setup iptables so that I can route traffic generated by the client itself to another port?

  • Client connects to server1
  • Server1 sends Client the ip to connect to (Which is local to server1, not Client)
  • Client gets redirected to 192.168.2.53:11210 (Can't reach)
  • IPTables routes all traffic that is send to 192.168.2.53:11210 to outside_ip:11210

The HTTP service just returns and IP to connect to, thus 'redirecting' the Client, but not with a HTTP Redirect.

I'm not confortable with IPTables so I'm not eager to experiment with it/mess up and lose my ssh connection, I've seen some examples but none of them seem to work or do exactly what I want.

WesleyE
  • 125
  • 7
  • Is the port always the same and is this TCP traffic? – DerfK Jul 12 '12 at 13:06
  • Can you clarify what's going on? If the client is getting an HTTP redirect to 192.168.2.53:11210, then there's nothing you can do, as the client is looking for a service on his local network. – cjc Jul 12 '12 at 13:07
  • @DerfK The port is always the same and indeed TCP traffic. – WesleyE Jul 12 '12 at 13:15
  • @cjc It is not a HTTP redirect, it simply gets a server to connect to from the http service. But the ip it gets from the HTTP service is a internal ip which is not available. – WesleyE Jul 12 '12 at 13:17
  • How can you "get a server to connect to from the http service" without it being a redirect? Perhaps in the HTTP response body, but that's still not something you traditionally do with iptables. Try explaining to your web service that it should stop being a know-it-all and listen to what you have to say about it's proper address. Or just stop using NAT. – womble Jul 12 '12 at 13:55
  • Sorry, I don't think I was clear enough, the HTTP service just returns and IP to connect to, thus 'redirecting' the Client, but not with a HTTP Redirect. – WesleyE Jul 12 '12 at 14:02
  • So, when you say "Server1 sends Client the ip to connect to", do you mean that the server actually says "192.168.2.53:11210"? Why can't your server say "outside_ip:11210"? – cjc Jul 12 '12 at 14:09
  • I know this solution is not a final one, but I just want to continue developing while the guys at Couchbase give me an definite answer on how to fix the 'redirect'. The Client is a lib with PHP that I don't know how to change, so there is no other way **for now** to get the right ip from the http service. – WesleyE Jul 12 '12 at 14:12

1 Answers1

2

If you cannot get the webservice to give a valid routable public IP address to the client, it's never going to work unless you write the client to ignore the IP address provided by the webservice. iptables cannot fix this (without writing a protocol inspection module like ip_masq_ftp, and then assuming you're not using SSL).

If you can get the webservice to give a proper public IP of a computer that has access to the internet and to the private network, then the simplest thing to do would be to have rinetd running on that machine, listening on the internet side and forwarding connections to the private side, but for this to work, the port has to be consistent for the same IP (you can have multiple ports redirected, but incoming port 11210 always has to go to 192.168.2.53) (you can redirect to a different port, so if you have ...53:11210 and ...54:11210, you can use :11211 to redirect to one of them, but the webservice will need to know this).

DerfK
  • 19,493
  • 2
  • 38
  • 54