iptables -- trying to redirect, but doesn't work

John G. Norman john.g.norman at gmail.com
Sun May 1 18:55:45 UTC 2005 

Hi.

I'm trying to redirect from one port to another with iptables
(destination NAT -- transparent proxying . . . e.g., "destination NAT"
in this article: http://www.linux-mag.com/content/view/849/2236/).

I've done this many times before, including on SuSE and various
flavors of BSD (with ipfw).

For some reason I can't get it to work on Fedora 3.

I do have ip forwarding on (/proc/sys/net/ipv4/ip_forward shows 1)

The command I am trying to use is:

/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 8080

I've tried this a number of ways, but I always get "connection
refused." (Requests to port 8080 work fine.) I also flushed everything
out of the nat, filter, and mangle tables: Didn't help.

I have also tried it with the default iptables setting when the Fedora
firewall is set to accept requests on 80 and 8080. See below.

I'm stumped. Anyone seen this? Anyone have a working iptables setup on
Fedora 3 with forwarding from one port to another that definitely
works?

    John N.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

More information about the users mailing list