iptables problem with port translation

Issues related to configuring your network
Post Reply
jblumenkrantz
Posts: 2
Joined: 2007/10/30 18:44:29

iptables problem with port translation

Post by jblumenkrantz » 2007/10/30 19:10:17

I'm having a very strange intermittent problem getting iptables to work performing port address translation. I'm running a Tomcat web server on my server on a non-priviledged port and trying to redirect traffic from ports 80 and 443 to ports 8080 and 8443 respectively on a virtual IP address:

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --dport 80 -j DNAT --to-destination #{ip}:8080
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 --dst #{ip} --dport 443 -j DNAT --to-destination #{ip}:8443

Generally speaking, everything works fine, unless I'm trying to download large files (1MB+) in size, and then the connection will freeze up from both the client's and server's perspective (both think the connection is established, but all tcp traffic has ceased.) This does not happen every time, or in the same point in the download, but it only happens when iptables is performing the PAT, if I run Tomcat as root and bind directly to 80 and 443 then the problem never occurs. I've also noticed that it's less likely to occur while I'm running tcpdump to monitor the traffic, this may be making the root cause less likely to trigger. I've also observed via tcpdump that the client does notice the pause and attempts to send TCP resets, but the server has "gone quiet" at this point. The server is running CentOS 4.4 with iptables 1.3.5. Anyone have any ideas what might be causing the connection problems or how I can track this down?

Thanks in advance,
Jason Blumenkrantz

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

iptables problem with port translation

Post by yyagol » 2007/11/07 06:12:47

lets say you're machine ip is 192.168.0.2 and you want to redirect all traffic on port 80 to port 8080
where Tomcat is listening , one can do it in a simple line like this :

[code]iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.2:8080
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.0.2:8443[/code]
I got this running on 10 servers and never had any problems downloading or uploading
any amount of data . try to be simple with iptables and redirect all traffic on port 80,443 (including lo device)

jblumenkrantz
Posts: 2
Joined: 2007/10/30 18:44:29

Re: iptables problem with port translation

Post by jblumenkrantz » 2007/11/09 16:22:44

Unfortunately that isn't an option, I'm running multiple Tomcat instances on multiple virtual IP addresses on the same physical machine, so I do need to distinguish between the addresses.
Thanks,
Jason

yyagol
Posts: 1015
Joined: 2006/06/10 18:27:44
Location: 32 4′N 34 47′E
Contact:

Re: iptables problem with port translation

Post by yyagol » 2007/11/10 11:51:24

As far as I know , you can set 1 tomcat to many vhost ,
if you are using a virtual interface , the iptables will refer to the parent interface
you cannot set an interface alias in chain rule with iptables !!!
so you can try to remove the interface and just keep the -d address

[code]iptables -t nat -A PREROUTING -p tcp -d 192.168.0.2 --dport 80 -j DNAT --to-destination 192.168.0.2:8080[/code]

Post Reply

Return to “CentOS 4 - Networking Support”