iptables -- trying to redirect, but doesn't work (and related guru question)
John G. Norman
john.g.norman at gmail.com
Mon May 2 18:16:34 UTC 2005
Sure. I turned off all filtering. All ports are open (this is all on a
private subnet).
Look:
[root at preview preview]# /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -
j DNAT --to 192.168.10.101:8080
[root at preview preview]# /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 601 packets, 330K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 430 packets, 77490 bytes)
pkts bytes target prot opt in out source destination
[root at preview preview]#
[root at preview preview]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http to:192
.168.10.101:8080
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at preview preview]#
Still stumped. :-(
On 5/2/05, Alexander Dalloz <ad+lists at uni-x.org> wrote:
> Am Mo, den 02.05.2005 schrieb John G. Norman um 15:30:
>
> > THANKS for the reply, but that didn't work. In fact, -j REDIRECT to a
> > certain port and -j DNAT are equivalent (though with DNAT you have to
> > say "--to 192.168.10.101:8080 (give an IP and a port). (For just one
> > explanation of this, see
> > http://www.linuxsecurity.com/content/view/117557/49/ where they note:
> > "REDIRECT: This is a specialized case of DNAT that alters the
> > destination IP address to send the packet to the machine itself. This
> > is useful in circumstances where one wishes to redirect web traffic to
> > a local proxy server, such as squid."
> >
> > In any case, I tried your suggestion:
> >
> > /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > 192.168.10.101:8080
> >
> > Still doesn't work.
>
> > John
>
> Did we saw your full packet filtering (i.e. iptables -nvL)? I guess you
> block the traffic somewhere else, at least I don't remember any case
> where redirecting made me a problem.
>
> Alexander
>
> --
> Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.14_FC2smp
> Serendipity 19:46:56 up 3:52, 18 users, 0.23, 0.14, 0.10
>
>
>
More information about the users
mailing list