iptables fubared?
Bill Davidsen
davidsen at tmr.com
Mon Oct 15 14:30:19 UTC 2012
Tim wrote:
> On Thu, 2012-10-04 at 12:45 -0700, Mark Space wrote:
>> I'm not sure where I could have fubared this. I did try to redirect
>> the ports from 80 to 8080, perhaps that was done incorrectly?
>
> You've tested that you can browse to localhost on port 80, but have you
> also tested that web server is listening to port 8080, by browsing to
> that port on the same machine (or over ssh)?
>
> Why are you redirecting, though? If there's a block on port 80, then
> your attempt to get in on port 80 and redirect to port 8080 isn't going
> work. Which way are you *trying* to redirect?
>
> Last time I played with redirection (long ago), I did it to the input
> and/or NAT rules, not the output rules. Redirecting incoming
> connections on a port that would be allowed, to the port that was
> listening.
>
>
> ## Redirect webserver visitors past my ISP's firewalling (blocking port 80):
> ## incoming port 8000 connections sent to the port 80 listening server
>
> iptables --table nat --append PREROUTING --protocol tcp --dport 8000 --jump REDIRECT --to-port 80
>
>
> But, it can be easier to just have the server listen to the port that's
> not blocked, and not do any redirection.
>
OP found that out, good to listen to the source IP rather than just loopback. I
did get familiar with REDIRECT, though, which I'd not used. All the things I
have ever done were with DNAT, although I dimly remember that when learning
iptables (when it first came into Linux) I saw it but needed DNAT instead.
The good old days of writing perl to convert ipchains to iptables scripts, like
many other things they are more fun to remember than repeat.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list