iptables -- trying to redirect, but doesn't work (and related guru question)

John G. Norman john.g.norman at gmail.com
Mon May 2 18:16:34 UTC 2005 

Sure. I turned off all filtering. All ports are open (this is all on a
private subnet).

Look:

[root at preview preview]# /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -
j DNAT --to 192.168.10.101:8080

[root at preview preview]# /sbin/iptables -nvL
Chain INPUT (policy ACCEPT 601 packets, 330K bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination


Chain OUTPUT (policy ACCEPT 430 packets, 77490 bytes)
 pkts bytes target     prot opt in     out     source               destination

[root at preview preview]#
[root at preview preview]# /sbin/iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             anywhere            tcp dpt:http to:192
.168.10.101:8080

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at preview preview]#

Still stumped.   :-(



On 5/2/05, Alexander Dalloz <ad+lists at uni-x.org> wrote:
> Am Mo, den 02.05.2005 schrieb John G. Norman um 15:30:
> 
> > THANKS for the reply, but that didn't work. In fact, -j REDIRECT to a
> > certain port and -j DNAT are equivalent (though with DNAT you have to
> > say "--to 192.168.10.101:8080 (give an IP and a port). (For just one
> > explanation of this, see
> > http://www.linuxsecurity.com/content/view/117557/49/ where they note:
> > "REDIRECT: This is a specialized case of DNAT that alters the
> > destination IP address to send the packet to the machine itself. This
> > is useful in circumstances where one wishes to redirect web traffic to
> > a local proxy server, such as squid."
> >
> > In any case, I tried your suggestion:
> >
> > /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
> > 192.168.10.101:8080
> >
> > Still doesn't work.
> 
> > John
> 
> Did we saw your full packet filtering (i.e. iptables -nvL)? I guess you
> block the traffic somewhere else, at least I don't remember any case
> where redirecting made me a problem.
> 
> Alexander
> 
> --
> Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
> legal statement: http://www.uni-x.org/legal.html
> Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.14_FC2smp
> Serendipity 19:46:56 up 3:52, 18 users, 0.23, 0.14, 0.10
> 
> 
>

More information about the users mailing list