IP Tables locally

Hi everyone,

As far as I understand IP tables, when I setup a TCP/IP connection from
a local application its filtered though the OUTPUT nat table. Therefor I
have devised the following rule:

iptables -t nat -A OUTPUT -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT
--to-port 8081

Which it accepts. Note though that 192.168.1.3 is owned by the local
host. The PC has multiple IP addresses.

However, when I telnet to port 80, it doesn't accept it. If I telnet to
port 8081, it does. Why doesn't this work? I have made the same rule in
the PREROUTING table for connections from the outside and that works
without glitches.

Thanks in advance,
Vincent

On Wed, 26 Jul 2006 17:31:22 +0200, Vincent van Beveren wrote:

> Hi everyone,
>
> As far as I understand IP tables, when I setup a TCP/IP connection from
> a local application its filtered though the OUTPUT nat table. Therefor I
> have devised the following rule:
>
> iptables -t nat -A OUTPUT -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT
> --to-port 8081
>
> Which it accepts. Note though that 192.168.1.3 is owned by the local
> host. The PC has multiple IP addresses.

I just tested and it works fine for me.

> However, when I telnet to port 80, it doesn't accept it. If I telnet to
> port 8081, it does. Why doesn't this work? I have made the same rule in
> the PREROUTING table for connections from the outside and that works
> without glitches.

Do you have any other rules in there? (show a iptables -t nat -L OUTPUT)

Regards,
Mark.

>> iptables -t nat -A OUTPUT -d 192.168.1.3 -p tcp --dport 80 -j REDIRECT
>> --to-port 8081
>>
>> Which it accepts. Note though that 192.168.1.3 is owned by the local
>> host. The PC has multiple IP addresses.
>
> I just tested and it works fine for me.

Weird... The 192.168.1.3 is an IP address on the same host I create the
rule on and the telnet connection from. The host has multiple IP addresses.

>
>
> Do you have any other rules in there? (show a iptables -t nat -L OUTPUT)
>

xs-amsweb01:~ # iptables -t nat -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere 192.168.1.3 tcp dpt:http
redir ports 8081

Then when I try it I get this:

xs-amsweb01:~ # telnet 192.168.1.3 8081
Trying 192.168.1.3...
Connected to 192.168.1.3.
Escape character is '^]'.
[... here I press ^C, but it accepts the connection]
Connection closed by foreign host.
xs-amsweb01:~ # telnet 192.168.1.3 80
Trying 192.168.1.3...
[... after waiting for a while I press ^C, no connection is established]

It might have something to do with SuSE, because if I do ifconfig I only
get eth0 with the primary IP adress, and lo, all my other IPs aren't
visible here (I can only see them in YaST, I don't know how SuSE handles
this).

Thanks so far,
Vincent