How to redirect traffic to another machine in Linux

If you have ever handled the migration of a web service or a website from one server to another you know how crazy the experience can be. However, if you break the process up into clear steps and run constant checks you can make the experience a little easier on yourself. One of the problems that you might run into towards the end of the migration is the period when you have the website running well on the new location but need to wait for the domain name to be forwarded to the new server. you can either shut down your service till the domain is done forwarding, or you can setup your first server to forward all its traffic to the new server. Let’s take a look at how you can do that on a Linux machine using IPTables.

In case you didn’t already know, IPtables is a software firewall that ships with most distributions of Linux. It is an extremely useful software and can be used for a lot more than just as a firewall. In this exercise we will configure IPTables on a Linux server to redirect all the traffic coming on port 80, (which is the default web server port), to a server with the IP The first step is to set your Linux box to allow this kind of forwarding to take place. Open a terminal window, log in as root user and run the following command:

# echo 1 >/proc/sys/net/ipv4/ip_forward

The next step is to tell IPTables to redirect the traffic to the new server:

# iptables -t nat -D PREROUTING -p tcp –dport 80 -j DNAT –to-destination

Here’s where the IPTables magic happens. With the third and final step we tell IPTables to rewrite the origin of connections to the new server’s port 80 to appear to come from the old server.

# iptables -t nat -D POSTROUTING -p tcp -d –dport 80 -j MASQUERADE

The final step is required because if we don’t tell the web server of the new server that the connections are coming from the client machines, it would think that they are originating from the old server.

{ 19 comments… add one }
  • cosco May 29, 2009, 3:19 am

    Thanks, I googled a lot before finding your post, without success.
    That does exactly what I want.
    However, there is a typo :
    “iptables -t nat -D PREROUTING” should read “iptables -t nat -A PREROUTING”

  • David Madl September 28, 2009, 12:41 pm

    Many thanks, works perfectly well with -A instead of -D (which is for deleting the rules).

  • init1 December 6, 2009, 12:27 am

    This does not work at all. I tried all of these steps (including using -A instead of -D) and it did nothing

  • Pedro April 16, 2010, 1:35 pm

    Works great with “-A” instead of “-D” in both arguments. Thanks a lot!

  • Agricolus March 5, 2011, 1:01 pm

    Explanations around step 3 are a bit confused, but the commands works (have to replace “-D” with “-A”, as mentioned).

    It may be useful to mention that “MASQUERADE” simply means “use the IP currently associated to the network interface”. It is useful if the server has a dynamic IP.

    In case the server has a fixed IP, specifying the IP address explicitly is faster (no need to query the IP of the system each time a packet comes in), thus the alternative step 3:

    # iptables -t nat -A POSTROUTING -p tcp -d –dport 80 -j SNAT –to ‘server_ip’

    Thanks for the initial post.

  • Ross McKillop March 5, 2011, 3:36 pm

    Agicolus: awesome thanks for the additional info!

  • David Manso May 28, 2012, 5:08 am

    Also you can change destination port using (in step 2):

  • David Manso May 28, 2012, 5:18 am

    And in step 3, change dport:
    — dport 8080

  • KRD September 8, 2012, 10:25 am

    Considering the conflicting comments on this item, I can not determine the correct syntax. This “important” page therefore needs to be updated.

  • Elias October 31, 2012, 1:16 pm

    It woeks great.. i was some time trying around this… But, the syntax must be “A” of Append Instead of “D” of Delete.. change that and that’s ok…
    If you want permanently set the packet fromward in the kernel you can change the /etc/sysctl.conf file.. uncomment the line and that’s all..
    If you are using Debian like distro, you”ll see there’s no firewall by default. so don’t put in firewall.user file the command…
    try a script instead for that..

  • Navodit March 30, 2014, 6:13 pm

    Here’s the correct one for Debian:

    iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination

    iptables -t nat -A POSTROUTING -p tcp -d –dport 80 -j MASQUERADE

  • zenius May 30, 2014, 7:56 pm

    thank you, man. This worked for me!

  • Oscar Huanca June 16, 2015, 5:56 pm

    it is possible to add two more lines, to keep the redirection of my network cards, proxy to do?
    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # iptables -A FORWARD -i eth1 -m state –state NEW,INVALID -j DROP

    Please helpme!!!!!

  • jauyzed June 11, 2017, 10:35 pm

    Can you please update these commands?

  • AlfaEnergy July 20, 2017, 12:44 pm

    When i redirect the traffic this way, i need to make sure that the new/destination server have DNS zones updated and not containing old/source server IP’s right? Or will it work (show website) even if i do not update IP on destination server and zones contian old server IP?

Leave a Comment