From: Adam Wiggins <hiro@dusk.org>
To: netfilter@lists.netfilter.org
Subject: Re: local port redirect to remote IP
Date: Mon, 11 Nov 2002 20:43:02 -0800 [thread overview]
Message-ID: <20021111204302.A47608@dusk.org> (raw)
In-Reply-To: <20021107185721.B34761@dusk.org>; from hiro@dusk.org on Thu, Nov 07, 2002 at 06:57:21PM -0800
Replying to my own post here. Someone posted the link to this
excellent tutorial:
http://iptables-tutorial.frozentux.net/chunkyhtml/book1.html
Which gave me a lot of insight, but unfortunately still doesn't cover
the case I want (take packets originating on localhost, going to a
port on localhost, and NAT them to a remote box).
At the bottom of the DNAT explanation:
http://iptables-tutorial.frozentux.net/chunkyhtml/x2326.html#DNATTARGET
...it covers something that seems like what I want, which is DNATing
from a firewall to a web server inside a LAN:
iptables -t nat -A OUTPUT --dst $INET_IP --dport 80 -j DNAT --to-destination $HTTP_IP
Using the OUTPUT chain, which I hadn't tried. So I did this:
iptables -t nat -A OUTPUT -p tcp --dst 127.0.0.1 --dport 8000 -j DNAT --to-destination 64.58.76.225:80
I think this is on the right track - now when I telnet to port 8000
locally it just locks waiting for the connection. That implies that
the packets are getting sent out but failing to return. I tried
switching --dst to be the machine's local IP, thinking that that might
help them find their way back more easily, but no dice.
Any thoughts?
-Adam
On Thu, Nov 07, 2002 at 06:57:21PM -0800, Adam Wiggins wrote:
>
> Greetings,
>
> I need to redirect a port on the loopback device to a remote IP -
> basically the reverse of a transparent Squid proxy.
>
> The example I'm trying to get working is to make port 8000 on the
> local machine connect me to www.yahoo.com:80.
>
> I tried both DNAT and REDIRECT (not sure which is applicable here),
> as follows:
>
> [root@ash root]# iptables -F -t nat
> [root@ash root]# iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport 8003 -j REDIRECT --to 64.58.76.225:80
> [root@ash root]# telnet localhost 8003
> Trying 127.0.0.1...
> telnet: connect to address 127.0.0.1: Connection refused
> [root@ash root]# iptables -F -t nat
> [root@ash root]# iptables -t nat -A PREROUTING -s 127.0.0.1 -p tcp --dport 8003 -j DNAT --to 64.58.76.225:80
> [root@ash root]# telnet localhost 8003
> Trying 127.0.0.1...
> telnet: connect to address 127.0.0.1: Connection refused
>
> The REDIRECT works on a remote machine (if I specify -s <someIP> and
> then connect from that machine), so I know I must be close. I
> experimented with POSTROUTING as well, but that doesn't allow you to
> specify a source IP and I need to make sure this only works when
> connecting locally.
>
> Any pointers much appreciated.
>
> -Adam
>
prev parent reply other threads:[~2002-11-12 4:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-11-08 2:57 local port redirect to remote IP Adam Wiggins
2002-11-12 4:43 ` Adam Wiggins [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021111204302.A47608@dusk.org \
--to=hiro@dusk.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.