Re: Yet another local nat/port redirecting question

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martijn Lievaart <m@rtij.nl>
To: Henrik Martin <henrik@netgate.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: Yet another local nat/port redirecting question
Date: Wed, 25 Apr 2007 07:50:25 +0200	[thread overview]
Message-ID: <462EEC21.5020306@rtij.nl> (raw)
In-Reply-To: <200704241701.28038.henrik@netgate.net>

Henrik Martin wrote:
> All I want to do is run my web server as an ordinary user and having
> it bind to port 8080 and then have my firewall redirect traffic from
> port 80 to 8080.  I have a firewall running on the local machine and I
> only let through ports 80, 443, and SSH. I'm using the SuSEFirewall
> utilities to create this.  At first, I tried setting the REDIRECT
> variable in SuSE's own firewall to do the port forwarding, but
> couldn't get it to work. So I've basically pared it down to where I've
> disabled the SuSE firewall, and I'm just doing the following on the
> command line:
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
> iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
>   

The output rule will never be hit, the packet is already redirected by 
the predirect rule. You don't need that second rule.
> If I log into an external machine and try to telnet to my web server's
> port, I can see the PREROUTING chain's packet counter increase, but 
> not the OUTPUT. I'm not able to connect.
>   

So this is expected.

> # iptables --list -n -t nat -v
> Chain PREROUTING (policy ACCEPT 140K packets, 42M bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>     3   180 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
>
> Chain POSTROUTING (policy ACCEPT 140K packets, 42M bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>
> Chain OUTPUT (policy ACCEPT 763 packets, 56801 bytes)
>  pkts bytes target     prot opt in     out     source               destination 
>     0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080
>
>
> What am I doing wrong? Is this a bug, or is it the way I'm configuring
> the firewall?
>   

This should work. It works for me, I use redirects quite frequently. The 
only thing I can think of is that the webserver listens on a specific IP 
and you try to connect to another.

HTH,
M4

next prev parent reply	other threads:[~2007-04-25  5:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-25  0:01 Yet another local nat/port redirecting question Henrik Martin
2007-04-25  5:50 ` Martijn Lievaart [this message]
2007-04-25  7:07   ` Henrik Martin
2007-04-26 10:10 ` Gáspár Lajos
2007-04-26 18:49   ` Henrik Martin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=462EEC21.5020306@rtij.nl \
    --to=m@rtij.nl \
    --cc=henrik@netgate.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.