iptables forward to local different port

Hi there,
I am running iptables 1.2.7 on my Linux box as a firewall.
I have a web server https://www.company.com:8064/ running well on this Linux
box to Internet.
Now, I want any client request https://www.company.com/ (port 443) to be
redirected/forwarded to port 8064.
How could I run iptables to do this?
Thanks in advance,
Ross

"Ross" <(E-Mail Removed)> wrote in
news:tKadnRV7y-(E-Mail Removed):

> Hi there,
> I am running iptables 1.2.7 on my Linux box as a firewall.
> I have a web server https://www.company.com:8064/ running well on this
> Linux box to Internet.
> Now, I want any client request https://www.company.com/ (port 443) to be
> redirected/forwarded to port 8064.
> How could I run iptables to do this?
> Thanks in advance,
> Ross
>
>
>

I believe you can use DNAT in the PREROUTING chain to do that.

From the man page:

DNAT
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those chains. It
specifies that the destination address of the packet should be modified
(and all future packets in this connection will also be mangled), and rules
should cease being examined. It takes one option:

--to-destination <ipaddr>[-<ipaddr>][ort-port]
which can specify a single new destination IP address, an inclusive
range of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies -p tcp or -p udp). If no port range is specified,
then the destination port will never be modified.

Klazmon.

Llanzlan Klazmon wrote:
> "Ross" <(E-Mail Removed)> wrote in
> news:tKadnRV7y-(E-Mail Removed):
>
>
>>Hi there,
>>I am running iptables 1.2.7 on my Linux box as a firewall.
>>I have a web server https://www.company.com:8064/ running well on this
>>Linux box to Internet.
>>Now, I want any client request https://www.company.com/ (port 443) to be
>>redirected/forwarded to port 8064.
>>How could I run iptables to do this?
>>Thanks in advance,
>>Ross
>>
>>
>>
>
>
> I believe you can use DNAT in the PREROUTING chain to do that.
>
> [snip]

Actually you need to use REDIRECT in the PREROUTING chain, using the
--to-ports option.

Allen Kistler <(E-Mail Removed)> wrote in news:iU2ig.42536$fb2.10654
@newssvr27.news.prodigy.net:

> Llanzlan Klazmon wrote:
>> "Ross" <(E-Mail Removed)> wrote in
>> news:tKadnRV7y-(E-Mail Removed):
>>
>>
>>>Hi there,
>>>I am running iptables 1.2.7 on my Linux box as a firewall.
>>>I have a web server https://www.company.com:8064/ running well on this
>>>Linux box to Internet.
>>>Now, I want any client request https://www.company.com/ (port 443) to be
>>>redirected/forwarded to port 8064.
>>>How could I run iptables to do this?
>>>Thanks in advance,
>>>Ross
>>>
>>>
>>>
>>
>>
>> I believe you can use DNAT in the PREROUTING chain to do that.
>>
>> [snip]
>
> Actually you need to use REDIRECT in the PREROUTING chain, using the
> --to-ports option.
>

The Man page says:

---------------------------------------------------------------------------
--
REDIRECT
This target is only valid in the nat table, in the PREROUTING and OUTPUT
chains, and user-defined chains which are only called from those chains. It
alters the destination IP address to send the packet to the machine itself
(locally-generated packets are mapped to the 127.0.0.1 address). It takes
one option:

--to-ports <port>[-<port>]
This specifies a destination port or range or ports to use: without
this, the destination port is never altered. This is only valid with if the
rule also specifies -p tcp or -p udp).
------------------------------------------------------------------------

Maybe I am misunderstanding this but it suggests that the destination IP
address is changed to send the packet to the machine itself but what
happens if there are multiple ip addresses on the incoming interface? Which
one does the incoming packet get sent to. If the OP is running more than
one web site with different IP addresses then there doesn't appear to be a
way using REDIRECT to specify the correct destination IP, whereas DNAT does
let you do this. Maybe it would be ok if it leaves the original destination
alone if it already corresponds to a local address. Must try this out to
see.

Klazmon.

Klazmon.

I have tried:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to
127.0.0.1:8064
and
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to
127.0.0.1:8064
and
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
127.0.0.1:8064
and
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
8064

But none of them works.
Any further suggestions would be appreciated.
BTW,--to-ports is invilid for DNAT.

Ross


"Llanzlan Klazmon" <(E-Mail Removed)> wrote in message
news:Xns97DD7F756DFFDKlazmonllurdiaxorbgo@203.97.3 7.6...
> Allen Kistler <(E-Mail Removed)> wrote in news:iU2ig.42536$fb2.10654
> @newssvr27.news.prodigy.net:
>
>> Llanzlan Klazmon wrote:
>>> "Ross" <(E-Mail Removed)> wrote in
>>> news:tKadnRV7y-(E-Mail Removed):
>>>
>>>
>>>>Hi there,
>>>>I am running iptables 1.2.7 on my Linux box as a firewall.
>>>>I have a web server https://www.company.com:8064/ running well on this
>>>>Linux box to Internet.
>>>>Now, I want any client request https://www.company.com/ (port 443) to be
>>>>redirected/forwarded to port 8064.
>>>>How could I run iptables to do this?
>>>>Thanks in advance,
>>>>Ross
>>>>
>>>>
>>>>
>>>
>>>
>>> I believe you can use DNAT in the PREROUTING chain to do that.
>>>
>>> [snip]
>>
>> Actually you need to use REDIRECT in the PREROUTING chain, using the
>> --to-ports option.
>>
>
> The Man page says:
>
> ---------------------------------------------------------------------------
> --
> REDIRECT
> This target is only valid in the nat table, in the PREROUTING and OUTPUT
> chains, and user-defined chains which are only called from those chains.
> It
> alters the destination IP address to send the packet to the machine itself
> (locally-generated packets are mapped to the 127.0.0.1 address). It takes
> one option:
>
> --to-ports <port>[-<port>]
> This specifies a destination port or range or ports to use: without
> this, the destination port is never altered. This is only valid with if
> the
> rule also specifies -p tcp or -p udp).
> ------------------------------------------------------------------------
>
> Maybe I am misunderstanding this but it suggests that the destination IP
> address is changed to send the packet to the machine itself but what
> happens if there are multiple ip addresses on the incoming interface?
> Which
> one does the incoming packet get sent to. If the OP is running more than
> one web site with different IP addresses then there doesn't appear to be a
> way using REDIRECT to specify the correct destination IP, whereas DNAT
> does
> let you do this. Maybe it would be ok if it leaves the original
> destination
> alone if it already corresponds to a local address. Must try this out to
> see.
>
> Klazmon.
>
> Klazmon.
>

Ross wrote:
> I have tried:
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 8064
>
> But none of them works.
> Any further suggestions would be appreciated.
> BTW,--to-ports is invilid for DNAT.
>
> Ross
>
>
> "Llanzlan Klazmon" <(E-Mail Removed)> wrote in message
> news:Xns97DD7F756DFFDKlazmonllurdiaxorbgo@203.97.3 7.6...
>
>>Allen Kistler <(E-Mail Removed)> wrote in news:iU2ig.42536$fb2.10654
>>@newssvr27.news.prodigy.net:
>>
>>
>>>Llanzlan Klazmon wrote:
>>>
>>>>"Ross" <(E-Mail Removed)> wrote in
>>>>news:tKadnRV7y-(E-Mail Removed):
>>>>
>>>>
>>>>
>>>>>Hi there,
>>>>>I am running iptables 1.2.7 on my Linux box as a firewall.
>>>>>I have a web server https://www.company.com:8064/ running well on this
>>>>>Linux box to Internet.
>>>>>Now, I want any client request https://www.company.com/ (port 443) to be
>>>>>redirected/forwarded to port 8064.
>>>>>How could I run iptables to do this?
>>>>>Thanks in advance,
>>>>>Ross
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>I believe you can use DNAT in the PREROUTING chain to do that.
>>>>
>>>>[snip]
>>>
>>>Actually you need to use REDIRECT in the PREROUTING chain, using the
>>>--to-ports option.
>>>
>>
>>The Man page says:
>>
>>---------------------------------------------------------------------------
>>--
>>REDIRECT
>>This target is only valid in the nat table, in the PREROUTING and OUTPUT
>>chains, and user-defined chains which are only called from those chains.
>>It
>>alters the destination IP address to send the packet to the machine itself
>>(locally-generated packets are mapped to the 127.0.0.1 address). It takes
>>one option:
>>
>>--to-ports <port>[-<port>]
>> This specifies a destination port or range or ports to use: without
>>this, the destination port is never altered. This is only valid with if
>>the
>>rule also specifies -p tcp or -p udp).
>>------------------------------------------------------------------------
>>
>>Maybe I am misunderstanding this but it suggests that the destination IP
>>address is changed to send the packet to the machine itself but what
>>happens if there are multiple ip addresses on the incoming interface?
>>Which
>>one does the incoming packet get sent to. If the OP is running more than
>>one web site with different IP addresses then there doesn't appear to be a
>>way using REDIRECT to specify the correct destination IP, whereas DNAT
>>does
>>let you do this. Maybe it would be ok if it leaves the original
>>destination
>>alone if it already corresponds to a local address. Must try this out to
>>see.
>>
>>Klazmon.
>>
>>Klazmon.

--to-ports doesn't take an IP address, just a port number.
REDIRECT already means the localhost should handle it.

On Fri, 09 Jun 2006 14:57:52 -0400, Ross wrote:

> I have tried:
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 127.0.0.1:8064
> and
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 8064
>
> But none of them works.
> Any further suggestions would be appreciated.
> BTW,--to-ports is invilid for DNAT.

Make sure the INPUT chain also accepts this port coming in. Just because
you redirect a packet doesn't mean it's automatic accepted on the box.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Yes, I did. Here was what I did:
# iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
8064

But it doesn't work.
Thanks for any idea.
Ross

"Robert" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) e...
> On Fri, 09 Jun 2006 14:57:52 -0400, Ross wrote:
>
>> I have tried:
>> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to
>> 127.0.0.1:8064
>> and
>> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to
>> 127.0.0.1:8064
>> and
>> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
>> 127.0.0.1:8064
>> and
>> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
>> 8064
>>
>> But none of them works.
>> Any further suggestions would be appreciated.
>> BTW,--to-ports is invilid for DNAT.
>
> Make sure the INPUT chain also accepts this port coming in. Just because
> you redirect a packet doesn't mean it's automatic accepted on the box.
>
>
> --
>
> Regards
> Robert
>
> Smile... it increases your face value!
>
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption
> =----

Ross wrote:
> Yes, I did. Here was what I did:
> # iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
> # iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
> 8064
>
> But it doesn't work.
> Thanks for any idea.

Check that you're not doing anything else to block packets.

FWIW, I've got ssh running on port 22. If I do

-t nat -A PREROUTING -m tcp -p tcp --dport 1022 \
-j REDIRECT --to-ports 22

then ssh from another box to port 1022, it works. So if you don't
believe the man page, you can believe (or not) an actual example.

Thanks a lot to everyone. It works now!
I think I missed "-m tcp".
This is what I have now:
# iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
# iptables -t nat -A PREROUTING -m tcp -p tcp --dport 443 \
-j REDIRECT --to-ports 8064

Thanks again,
Ross


"Allen Kistler" <(E-Mail Removed)> wrote in message
news:LBnjg.44525$(E-Mail Removed). com...
> Ross wrote:
>> Yes, I did. Here was what I did:
>> # iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
>> # iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
>> # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
>> 8064
>>
>> But it doesn't work.
>> Thanks for any idea.
>
> Check that you're not doing anything else to block packets.
>
> FWIW, I've got ssh running on port 22. If I do
>
> -t nat -A PREROUTING -m tcp -p tcp --dport 1022 \
> -j REDIRECT --to-ports 22
>
> then ssh from another box to port 1022, it works. So if you don't
> believe the man page, you can believe (or not) an actual example.