iptables redirect

Leo Cacciari leo.cacciari at gmail.com
Sun Dec 23 13:11:01 UTC 2007


Il giorno ven, 21/12/2007 alle 16.47 +0100, Luca Ferrari ha scritto:
> Hi,
> I'd like to open a port on my firewall to redirect to a testing web server 
> machine, thus I'm doing:
> 
> $IPTABLES -t nat -I PREROUTING -i $EXT_INTF -p tcp -d $FIREWALL --dport 
> 9999 -s 0/0   -j DNAT --to $SONY:80 -v
> $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 9999   -d $SONY -j ACCEPT
> $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 80     -d $SONY -j ACCEPT
> 
> $SONY is my destination machine, and I'd like to have the connection opened 
> from port 9999 on my firewall external interface to sony:80 port, but this is 
> not working. If I try to connect I get connection refused.
> Any idea?
Hi Luca,
  I had a similar problem first time a did a setup like the one you
proposed. The problem is that the packets to be forward has to be
through the INPUT chain before they even reach the FORWARD one. Thus you
should have something like that

$IPTABLES -A INPUT -i $EXT_INTF -p tcp -d $FIREWALL --dport 9999 -j
ACCEPT

in your firewall script.

Beware that I've not tried the above right now, so be careful. The best
thing to do is looking up the documentation keeping in mind my remark at
the beginning, that is to say that packets should pass the INPUT chain
before getting to the FORWARD chain or to the nat table.

-- 
Leo "TheHobbit" Cacciari



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Questa รจ una parte del messaggio	firmata digitalmente
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20071223/b9c97c30/attachment.sig>


More information about the ubuntu-users mailing list