Port translation

Uno Engborg uno at webworks.se
Sun Jul 13 23:30:11 UTC 2008 

IKnowNot at comcast.net skrev:
> Uno Engborg wrote:
>> stan skrev:
>>> Uno Engborg wrote:
>>>> stan skrev:
>>>>> Uno Engborg wrote:
>>>>>> Rüdiger Pretzlaff skrev:
>>>>>>>
>>>>>>> Am 12.07.2008 um 12:21 schrieb Uno Engborg:
>>>>>>>
>>>>>>>> For various reasons I would like to  forward trafic to port 390 
>>>>>>>> to port 5432 on the same host. One would think this would be a
>>>>>>>> simple task for iptables but I have now tinkered with this for 
>>>>>>>> two days, and I still fail to get it right.
>> ................
>
>
>> Port redirection now works locally, but not on the eth0 interface.
>>
>>
>> Regards
>> Uno Engborg
>>
>
> since you didn't use --line-numbers, it is harder to look at, but 
> after sorting:
>
> packets coming into eth0 that you are redirecting are being nat-ed in 
> the PREROUTING chain, then are being sent to the RH-Firewall-1-INPUT 
> chain via the INPUT chain.  They are being dropped there.
>
>
>
>
> iptables -I RH-Firewall-1-INPUT -m state -p tcp -i eth0 --dport 5432 
> --state NEW -j ACCEPT
>
> iptables -I RH-Firewall-1-INPUT -m state -p tcp -i eth0 --dport 5432 
> --state NEW -j LOG --log-level info --log-prefix "new in eth0 5432: "
>
>
>
> the above commands place rules at the head of the RH-Firewall-1-INPUT 
> chain to first log then accept any tcp packets destined for port 5432 
> that are new.  You already have one that accepts related and 
> established tcp packets so others should be allowed through.  And 
> logging only the new packets will keep your logs down but allow you to 
> know who attempted to connect.
>
> It is important to run the commands in the order shown if you use a 
> shell.  That will first place the ACCEPT command at the top of the 
> chain, then place the logging above that.  You need to log it first 
> before you accept or it won't hit the log!  If you insert them another 
> way just make sure the logging line is above the ACCEPT line when you 
> list your rules.  ( You don't really need the log rule, but it helps, 
> especially when testing rules. )
>
>
> Hope this helps!
>
> IKnowNot
>
That did the trick!
Thanks, to all of you that have helped

Regards
Uno Engborg

More information about the users mailing list