Redirect traffic from one IP and port to another IP and port

Something very common when managing servers is redirecting traffic.

Suppose we have a server with certain services running, but for whatever reason we change one of those services (I don't know, for example pop3 which is port 110) to another server. The normal and most frequent thing would be to simply change the IP in the DNS record, however if someone was using the IP instead of the subdomain it will be affected.

What to do? ... simple, redirect the traffic that server receives through that port to another server with the same port.

server-node-lan-ethernet

How do we start redirecting traffic?

The first thing is that we must have enabled the forwarding on the server, for this we will put the following:

echo "1" > /proc/sys/net/ipv4/ip_forward

All the commands shown in this tutorial must be executed with administrative privileges, I recommend that they be executed directly with the root user.

You can also use this other command, in case the previous one doesn't work for you (it happened to me like this on a CentOS):
sysctl net.ipv4.ip_forward=1
Then we will restart the network:

service networking restart

In RPM distros like CentOS and others, it would be:

service nertwork restart

Now we will move on to the important thing, tell the server through iptables what to redirect:

iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>

That is, and following the example I mentioned, suppose we want to redirect all the traffic that our server receives through port 110 to another server (not: 10.10.0.2), which will still receive that traffic through 110 (it is the same service):

iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110

The 10.10.0.2 server will see that all the packets or requests come from the client's IP, in case they want to swim the requests, that is, that the 2nd server sees that the requests arrive with the IP of the 1st server (and in the which we apply the redirection), it would also be to put this second line:

iptables -t nat -A POSTROUTING -j MASQUERADE

Some questions and answers

In the example I used the same port both times (110), however they can redirect traffic from one port to another without problems. For example, suppose I want to redirect traffic from port 80 to 443 on another server, for this it would be:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.10.0.2:443

This is iptables, they can use all the other parameters that we know, for example, if we only want to redirect traffic from a specific IP, it would be by adding -s … For example I will redirect only the traffic that comes from 10.10.0.51:

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.51 --dport 80 -j DNAT --to-destination 10.10.0.2:443

Or an entire network (/ 24):

iptables -t nat -A PREROUTING -p tcp -s 10.10.0.0/24 --dport 80 -j DNAT --to-destination 10.10.0.2:443

We can also specify the network interface with -i :

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.10.0.2:443

The end!

This as I said already, is iptables, you can apply what is already known so that the server does exactly what you want it to do 😉

Regards!

DedicatedServer_SubImage


20 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Iron said

    We can also do this from a firewall that allows port forwarding, right? (applying the corresponding rules).

    1.    KZKG ^ Gaara said

      Yes of course, in the end a firewall like Pfsense or others, use iptables from behind.

      1.    dhunter said

        To be exact, pfsense does not use iptables but pf, remember that it is a bsd inside.

        1.    KZKG ^ Gaara said

          Oh right, my bad!

  2.   Nicolas said

    Thank you very much for the tip 🙂

    I have a couple of doubts:
    1 - Is the change permanent? or is it lost when restarting the server?
    2 - I have multiple instances (say A, B, and C) on the same subnet. In instance A I apply the rule to route traffic to an external IP, and testing with curls from instances B and C, everything works wonders. The problem is that from instance A it doesn't work. I tried using both your ip and the loopback interface, and neither works:
    $ iptables -t nat -A PREROUTING -p tcp –dport 8080 -j DNAT –to-destination xxxx: 8080
    $ iptables -t nat -A PREROUTING -p tcp -i lo –dport 8080 -j DNAT –to-destination xxxx: 8080

    $ curl ip-yyyy: 8080 / hello_world
    curl: (7) Failed to connect to ip-yyyy port 8080: Connection refused
    $ curl localhost: 8080 / hello_world
    curl: (7) Failed to connect to localhost port 8080: Connection refused

    Any idea what the problem may be?

    1.    KZKG ^ Gaara said

      Yes, the change is lost on reboot, you will have to use iptables-save & iptables-restore or something like that to avoid that.
      I didn't quite understand what you want to do, instance A?

      1.    Nicolas said

        I have a server that only supports connections from a particular ip (server A's), I cannot or want to add more ips to the whitelist (for scalability issues), so I want all traffic to the external server to go through said server (A).
        For a matter of practicality, I have global configurations that define which IP to use for each service, so in this case it is something like "everyone who wants to use the external service must use IP A"
        I successfully achieved this using the method in this article, but I run into the problem that when applying it, server A cannot access the service using its own ip (but all other servers do).
        So far the best I found was to add the mapping in server A's / etc / hosts file, pointing to the external ip, overriding the global setting.

  3.   braybaut said

    Very good, if I have another mail server, I could forward the traffic from port 143 from server1 to server2 and the emails will reach server2, right?

    regards

    1.    KZKG ^ Gaara said

      In theory yes, it works like this. Sure, you must have the mail server properly installed on server2 🙂

  4.   msx said

    The kind of posts we like to read, thanks!

  5.   Abraham Ibarra said

    Excellent article, I have a project in which I am working and I wanted to ask you a question, there are industrial switches with NAT function (I suppose they use IPTables below), to translate an IP address without making changes to the equipment, an example, I have a Server 10.10.2.1 that communicates with 10.10.2.X computers and through the switch is programmed so that a computer that has an address 192.168.2.4 is actually seen from the server as 10.10.2.5, it translated that IP address to be seen From the other computers with that address, I want to do it from a server with Ubuntu or another distribution, what would be the iptables rules?

  6.   Hip bone said

    Very good info thank you ^ _ ^

  7.   yisus said

    Good afternoon.
    I have a problem trying to do a redirect. I explain:
    I have a proxy server in Ubuntu, with 2 network cards:
    eth0 = 192.168.1.1 is connected to the rest of the local network.
    eth1 = 192.168.2.2 is connected to the router.
    I need everything that comes through eth0 to go through eth1, and also through the proxy (I use Squid, whose default port is 3128), and I can't find the key in the IPTABLES configuration.
    I do not need restriction of any kind, only that a record remains in the log of the web addresses that are visited.

    I hope you can help me as it is quite a cumbersome task that has been worrying me for a couple of days.

    Thank you.

  8.   Gabriel said

    Friend, I am very new to other servers, I have no idea but I understand the subject and I learn quickly, my question is the following I have 2 servers serv_1 and serv_2 which I have connected to the same intranet, in these servers I have an owncloud set up, I would like to do the following:

    that a certain range of ips for example rangeip_1 when placing an access ip to the owncloud (ipowncloud) is directed towards the serv_1 and if it is another rangeip_2 placed the same ipowncloud is directed to the serv_2, this in order that the 2 servers are located in two different cities and the IP ranges are different but they are all on the same network, that would be the first part, the second would be clear is to synchronize these 2 servers so that they are mirrors or that they advise me this in order to optimize the width band, please, if you are going to explain to me how to do it step by step not to super programmer mode = (

  9.   Antonio Carrizosa said

    Hello, excuse me, I have a switch in charge of the communication of all the devices that make up my network, and after this a firewall and finally the Internet exit, what happens is that I would like the redirection to be given in the switch and does not have to reach the firewall unless the requested service is internet.

  10.   Juan said

    Using this method could you redirect HTTPS to HTTP?

  11.   but to you said

    Hi, maybe it's a bit late, but I wanted to ask you, how should I make squid not modify the client's IP when I want to connect to a web server on the same network?

  12.   lafat32 said

    Don't treat me bad for asking. Can this be done in Windows?

  13.   Martin said

    This information has been useful to me. As always, you guys can be trusted, when I can't find something in English I usually end up looking in Spanish, on those occasions I almost always come to this site. Thank you.

  14.   Seba said

    I have a 4G router that is a client of a network that I do not manage (obviously, I am a client)… this router is a gateway to that remote network through OpenVPN. In addition, said router fulfills the function of portforwarding to access port 80 of the server of one of those subnets in the field.

    This was the declaration that I had to put in the router as a firewall custom rule “-t nat -A POSTROUTING -j MASQUERADE”

    Thanks for the help!