How to redirect traffic to another machine in Linux

If you have ever handled the migration of a web service or a website from one server to another you know how crazy the experience can be. However, if you break the process up into clear steps and run constant checks you can make the experience a little easier on yourself. One of the problems that you might run into towards the end of the migration is the period when you have the website running well on the new location but need to wait for the domain name to be forwarded to the new server. you can either shut down your service till the domain is done forwarding, or you can setup your first server to forward all its traffic to the new server. Let’s take a look at how you can do that on a Linux machine using IPTables.

In case you didn’t already know, IPtables is a software firewall that ships with most distributions of Linux. It is an extremely useful software and can be used for a lot more than just as a firewall. In this exercise we will configure IPTables on a Linux server to redirect all the traffic coming on port 80, (which is the default web server port), to a server with the IP The first step is to set your Linux box to allow this kind of forwarding to take place. Open a terminal window, log in as root user and run the following command:

# echo 1 >/proc/sys/net/ipv4/ip_forward

The next step is to tell IPTables to redirect the traffic to the new server:

# iptables -t nat -D PREROUTING -p tcp –dport 80 -j DNAT –to-destination

Here’s where the IPTables magic happens. With the third and final step we tell IPTables to rewrite the origin of connections to the new server’s port 80 to appear to come from the old server.

# iptables -t nat -D POSTROUTING -p tcp -d –dport 80 -j MASQUERADE

The final step is required because if we don’t tell the web server of the new server that the connections are coming from the client machines, it would think that they are originating from the old server.

Home » Linux » How to redirect traffic to another machine in Linux

19 thoughts on “How to redirect traffic to another machine in Linux”

  1. When i redirect the traffic this way, i need to make sure that the new/destination server have DNS zones updated and not containing old/source server IP’s right? Or will it work (show website) even if i do not update IP on destination server and zones contian old server IP?

  2. it is possible to add two more lines, to keep the redirection of my network cards, proxy to do?
    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -A FORWARD -i eth1 -m state –state NEW,INVALID -j DROP

    Please helpme!!!!!

  3. Here’s the correct one for Debian:

    iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination

    iptables -t nat -A POSTROUTING -p tcp -d –dport 80 -j MASQUERADE

  4. It woeks great.. i was some time trying around this… But, the syntax must be “A” of Append Instead of “D” of Delete.. change that and that’s ok…
    If you want permanently set the packet fromward in the kernel you can change the /etc/sysctl.conf file.. uncomment the line and that’s all..
    If you are using Debian like distro, you”ll see there’s no firewall by default. so don’t put in firewall.user file the command…
    try a script instead for that..

  5. Considering the conflicting comments on this item, I can not determine the correct syntax. This “important” page therefore needs to be updated.

  6. Great!!
    Also you can change destination port using (in step 2):

  7. Pingback: Redirigiendo tráfico | Bosque Viejo

  8. Pingback: Redirecting IP traffic to new server with Apache/Centos LAMP set up - Admins Goodies

  9. Pingback: ubuntu forward port to another machine - Admins Goodies

  10. Pingback: How to redirect traffic to another machine in Linux « Linux T&T

  11. Explanations around step 3 are a bit confused, but the commands works (have to replace “-D” with “-A”, as mentioned).

    It may be useful to mention that “MASQUERADE” simply means “use the IP currently associated to the network interface”. It is useful if the server has a dynamic IP.

    In case the server has a fixed IP, specifying the IP address explicitly is faster (no need to query the IP of the system each time a packet comes in), thus the alternative step 3:

    # iptables -t nat -A POSTROUTING -p tcp -d –dport 80 -j SNAT –to ‘server_ip’

    Thanks for the initial post.

  12. Thanks, I googled a lot before finding your post, without success.
    That does exactly what I want.
    However, there is a typo :
    “iptables -t nat -D PREROUTING” should read “iptables -t nat -A PREROUTING”

Leave a Comment

Your email address will not be published. Required fields are marked *