Garak: Created page with "While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the..."

2021-05-22T16:31:03Z

Created page with "While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the..."

New page

While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the IP address instead of the domain name....

By using iptables and its masquerade feature, it is possible to forward all traffic to the old server to the new IP.

This tutorial will show which command lines are required to make this possible.

In this article, it is assumed that you do not have iptables running, or at least no nat table rules for chain PREROUTING and POSTROUTING.

The first thing to do is do enable IP forwarding. This is done either by using:

echo "1" > /proc/sys/net/ipv4/ip_forward

or

sysctl net.ipv4.ip_forward=1

Then, we will add a rule telling to forward the traffic on port 1111 to ip 2.2.2.2 on port 1111:

iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

and finally, we ask IPtables to masquerade:

iptables -t nat -A POSTROUTING -j MASQUERADE

Optionally, you could only redirect the traffic from a specific source/network with, for a host only:

iptables -t nat -A PREROUTING -s 192.168.1.1 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

or for a whole network

iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp --dport 1111 -j DNAT --to-destination 2.2.2.2:1111

that's it, now the traffic to port 1111 will be redirected to IP 2.2.2.2 .
If you go on host 2.2.2.2, you should see a lot of traffic coming from the host doing the redirection.

In order to disengage the port forwarding: this depends on each individual cases, but in a nutshell, you will need to run

iptables -t nat -L -n --line-numbers

and find the line that matches the rules you want to deletes. then

iptables -t nat -D ...

Like:

iptables -t nat -A PREROUTING -d 89.187.142.86 -p tcp --dport 80 -j DNAT --to-destination 185.18.28.37:80
iptables -t nat -A PREROUTING -d 89.187.142.86 -p tcp --dport 443 -j DNAT --to-destination 185.18.28.37:443

ZhoubaWiki:IpTablesPortForwarding - Revision history

Garak: Created page with "While doing a server migration, it happens that some traffic still go to the old machine because the DNS servers are not yet synced or simply because some people are using the..."