Trevor,
THANKS for the reply, but that didn't work. In fact, -j REDIRECT to a certain port and -j DNAT are equivalent (though with DNAT you have to say "--to 192.168.10.101:8080 (give an IP and a port). (For just one explanation of this, see http://www.linuxsecurity.com/content/view/117557/49/ where they note: "REDIRECT: This is a specialized case of DNAT that alters the destination IP address to send the packet to the machine itself. This is useful in circumstances where one wishes to redirect web traffic to a local proxy server, such as squid."
In any case, I tried your suggestion:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.10.101:8080
Still doesn't work.
My related guru question is: How can I tell on a running system if the kernel was compiled with "fast switching" for the network? Apparently this has to be set to OFF for this kind of redirection to work.
John
On 5/2/05, fedora-list-request@redhat.com fedora-list-request@redhat.com wrote:
- Re: iptables -- trying to redirect, but doesn't work (Trevor "TeC" Christian)
Message: 6 Date: Sun, 01 May 2005 23:15:33 -0400 From: "Trevor "TeC" Christian" trevor@bouyon.dalive.com Subject: Re: iptables -- trying to redirect, but doesn't work To: john@7fff.com, For users of Fedora Core releases fedora-list@redhat.com Message-ID: 42759B55.2050100@bouyon.dalive.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed
John G. Norman wrote:
Hi.
I'm trying to redirect from one port to another with iptables (destination NAT -- transparent proxying . . . e.g., "destination NAT" in this article: http://www.linux-mag.com/content/view/849/2236/).
I've done this many times before, including on SuSE and various flavors of BSD (with ipfw).
For some reason I can't get it to work on Fedora 3.
I do have ip forwarding on (/proc/sys/net/ipv4/ip_forward shows 1)
The command I am trying to use is:
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
I think this should probably by /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-port 8080
I believe that's what works for me...
-- *Trevor "TeC" Christian* Cell #: (767) 225 4472 IM MSN: trevorc98@hotmail.com / trevor@bouyon.dalive.com YM : trevorc01 AIM: DoubleOTeC
Curriculum Vitae (PDF) http://bouyon.dalive.com/cv/curriculum_vitae.pdf Curriculum Vitae (HTML) http://bouyon.dalive.com/cv/curriculum_vitae.html
On Mon, 2005-05-02 at 09:30 -0400, John G. Norman wrote:
My related guru question is: How can I tell on a running system if the kernel was compiled with "fast switching" for the network? Apparently this has to be set to OFF for this kind of redirection to work.
Fast Switching is no longer a kernel option. Netfilter would be completely bypassed - not just NAT/DNAT.
Thanks!
(Still can't figure out why my rule isn't taking.)
On 5/2/05, David Cary Hart Fedora@tqmcube.com wrote:
On Mon, 2005-05-02 at 09:30 -0400, John G. Norman wrote:
My related guru question is: How can I tell on a running system if the kernel was compiled with "fast switching" for the network? Apparently this has to be set to OFF for this kind of redirection to work.
Fast Switching is no longer a kernel option. Netfilter would be completely bypassed - not just NAT/DNAT. -- Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm Today's Spam Trap Adds: http://www.TQMcube.com/BlockedToday RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
On Mon, 2005-05-02 at 12:35 -0400, John G. Norman wrote:
Thanks!
(Still can't figure out why my rule isn't taking.)
On 5/2/05, David Cary Hart Fedora@tqmcube.com wrote:
On Mon, 2005-05-02 at 09:30 -0400, John G. Norman wrote:
My related guru question is: How can I tell on a running system if the kernel was compiled with "fast switching" for the network? Apparently this has to be set to OFF for this kind of redirection to work.
Fast Switching is no longer a kernel option. Netfilter would be completely bypassed - not just NAT/DNAT.
I experienced the same problem experimenting with zombiesmtp. I finally gave up and redirected to a different machine:port which works perfectly. You might want to post this query in the netfilter list.
Am Mo, den 02.05.2005 schrieb John G. Norman um 15:30:
THANKS for the reply, but that didn't work. In fact, -j REDIRECT to a certain port and -j DNAT are equivalent (though with DNAT you have to say "--to 192.168.10.101:8080 (give an IP and a port). (For just one explanation of this, see http://www.linuxsecurity.com/content/view/117557/49/ where they note: "REDIRECT: This is a specialized case of DNAT that alters the destination IP address to send the packet to the machine itself. This is useful in circumstances where one wishes to redirect web traffic to a local proxy server, such as squid."
In any case, I tried your suggestion:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.10.101:8080
Still doesn't work.
John
Did we saw your full packet filtering (i.e. iptables -nvL)? I guess you block the traffic somewhere else, at least I don't remember any case where redirecting made me a problem.
Alexander
Sure. I turned off all filtering. All ports are open (this is all on a private subnet).
Look:
[root@preview preview]# /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 - j DNAT --to 192.168.10.101:8080
[root@preview preview]# /sbin/iptables -nvL Chain INPUT (policy ACCEPT 601 packets, 330K bytes) pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 430 packets, 77490 bytes) pkts bytes target prot opt in out source destination
[root@preview preview]# [root@preview preview]# /sbin/iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination DNAT tcp -- anywhere anywhere tcp dpt:http to:192 .168.10.101:8080
Chain POSTROUTING (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@preview preview]#
Still stumped. :-(
On 5/2/05, Alexander Dalloz ad+lists@uni-x.org wrote:
Am Mo, den 02.05.2005 schrieb John G. Norman um 15:30:
THANKS for the reply, but that didn't work. In fact, -j REDIRECT to a certain port and -j DNAT are equivalent (though with DNAT you have to say "--to 192.168.10.101:8080 (give an IP and a port). (For just one explanation of this, see http://www.linuxsecurity.com/content/view/117557/49/ where they note: "REDIRECT: This is a specialized case of DNAT that alters the destination IP address to send the packet to the machine itself. This is useful in circumstances where one wishes to redirect web traffic to a local proxy server, such as squid."
In any case, I tried your suggestion:
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.10.101:8080
Still doesn't work.
John
Did we saw your full packet filtering (i.e. iptables -nvL)? I guess you block the traffic somewhere else, at least I don't remember any case where redirecting made me a problem.
Alexander
-- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.14_FC2smp Serendipity 19:46:56 up 3:52, 18 users, 0.23, 0.14, 0.10