port redirect not accepted?

Hi all,

It must be simple what i want, but I just can't find it...
I'm using an ubuntu box with IPTables 1.3.3, which I manage through webmin.

I want to route all incoming connections to port 6603 to be redirected
to port 3306; all on the same machine.

I made a redirect for this which does just that, but now it still
doesn't accept it, because my default input rule is to DROP.
Now, I can open up port 3306 in the input-chain, then everything works
ok....but the problem is, it is just my point to NOT have that port open

I know, i could change my dbase port to 6603, but i prefer using
iptables. So, how can I make an input rule that will only accept for
redirected traffic?

Thnx in advance...

Laurens

On Sun, 18 Mar 2007, Laurens wrote:

> Hi all,
>
> It must be simple what i want, but I just can't find it...
> I'm using an ubuntu box with IPTables 1.3.3, which I manage through webmin.
>
> I want to route all incoming connections to port 6603 to be redirected to
> port 3306; all on the same machine.
>
> I made a redirect for this which does just that, but now it still doesn't
> accept it, because my default input rule is to DROP.
> Now, I can open up port 3306 in the input-chain, then everything works
> ok....but the problem is, it is just my point to NOT have that port open
>
> I know, i could change my dbase port to 6603, but i prefer using iptables.
> So, how can I make an input rule that will only accept for redirected
> traffic?
>
> Thnx in advance...
>
> Laurens
>


To tell you the truth I can't figure out what you are trying to do. If you
want to redirect incoming traffic to a different port, try this:

$IPT -t nat -I PREROUTING -p tcp -d IP.ADDR.OF.BOX --dport 6603 -i \
$EXTINT -j DNAT --to IP.ADDR.OF.BOX:3306

where $IPT is your iptables binary and $EXTINT is the interface you want
this rule to apply to. This also assumes you have a prerouting rule like:

$IPT -t nat -P PREROUTING ACCEPT

I am not familiar with the particular GUI configuration tool you are using
with your distribution of Linux but these iptables calls are
distro-independant.

If this doesn't answer your question please restate it more clearly and I
will see if I can offer some help.


--
Sir Jackery

Sir Jackery wrote:
> On Sun, 18 Mar 2007, Laurens wrote:
>
>> Hi all,
>>
>> It must be simple what i want, but I just can't find it...
>> I'm using an ubuntu box with IPTables 1.3.3, which I manage through
>> webmin.
>>
>> I want to route all incoming connections to port 6603 to be redirected
>> to port 3306; all on the same machine.
>>
>> I made a redirect for this which does just that, but now it still
>> doesn't accept it, because my default input rule is to DROP.
>> Now, I can open up port 3306 in the input-chain, then everything works
>> ok....but the problem is, it is just my point to NOT have that port
>> open
>>
>> I know, i could change my dbase port to 6603, but i prefer using
>> iptables. So, how can I make an input rule that will only accept for
>> redirected traffic?
>>
>> Thnx in advance...
>>
>> Laurens
>>
>
>
> To tell you the truth I can't figure out what you are trying to do. If
> you want to redirect incoming traffic to a different port, try this:
>
> $IPT -t nat -I PREROUTING -p tcp -d IP.ADDR.OF.BOX --dport 6603
> -i \
> $EXTINT -j DNAT --to IP.ADDR.OF.BOX:3306
>
> where $IPT is your iptables binary and $EXTINT is the interface you want
> this rule to apply to. This also assumes you have a prerouting rule like:
>
> $IPT -t nat -P PREROUTING ACCEPT
>
> I am not familiar with the particular GUI configuration tool you are
> using with your distribution of Linux but these iptables calls are
> distro-independant.
>
> If this doesn't answer your question please restate it more clearly and
> I will see if I can offer some help.
>
>
Ok, let me try and clear it a bit up

My box hangs on the net and has two interfaces, eth0 and 1. eth0 is
internet, eth1 has 192.168.0.1. It is doing NAT and masquerading for my
network, but also runs an sql server.

now I redirect all calls to port 6603 to 3306. I manage to do that using
a DNAT rule to 192.168.0.1, and when I use a REDIRECT rule, it also works.
But, it now only works for everything on the eth1, because in the filter
table, everything other than eth0 is accepted.
For eth1 now, I have a few rules (like accept established and related
connections) in filter table.
To get the redirect to work for eth0, i need to accept all conn's to
port 3306.
Great, so i can redirect 6603 to 3306 and it works, also from the
outside! But, what i need is to block port 3306 to everyone BUT the
redirect. Only calls to 6603 may be allowed.

Hopefully, that clears up a bit? I'm not very used to the command line
commands for iptables, but i'm able to retrieve what i need from it, so
that's fine...

Thanks so far...

Kind Regards,

Laurens