From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bill Davidsen Subject: Re: iptables local port forwarding Date: Sat, 03 Apr 2004 12:30:38 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <20040403095005.GA4511@scholars.home> <200404031127.02648.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200404031127.02648.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Antony Stone wrote: > On Saturday 03 April 2004 10:50 am, Mark Ord wrote: > > >>I have iptables setup, firewalling eth0 (the internet) extensively, and >>doing NAT for my lan, and some custom port forwards. >> >>One is forwarding port 81 -> 80 - due to my provider firewalling port >>80: >> iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80 >> >>This works for connections coming in on both eth0, and eth1. However, I >>can't connect to port 81 on the iptables machine (no matter what >>iptables rules I try). > > > That rule looks fine to me, and you must obviously have an appropriate INPUT > rule allowing the connection to port 80 after the REDIRECT has completed, > otherwise you wouldn't be able to connect directly to port 80 which you say > works fine. > > The only thing I can think to ask is whether "iptables -L -t nat -nvx" shows > the packet/byte counters for this rule incrementing when you do try to access > port 81? > > Perhaps a few judicious LOGging rules (before and after the REDIRECT in the > nat table, before and after the ACCEPT in the INPUT chain) will tell you > something useful? Actually, you need to allow port 81 in, it doesn't become 80 until after the rewrite. -- bill davidsen CTO TMR Associates, Inc Doing interesting things with small computers since 1979