iptables forward to local different port

Discussion in 'Linux Networking' started by Ross, Jun 8, 2006.

  1. Ross

    Ross Guest

    Hi there,
    I am running iptables 1.2.7 on my Linux box as a firewall.
    I have a web server https://www.company.com:8064/ running well on this Linux
    box to Internet.
    Now, I want any client request https://www.company.com/ (port 443) to be
    redirected/forwarded to port 8064.
    How could I run iptables to do this?
    Thanks in advance,
    Ross
     
    Ross, Jun 8, 2006
    #1
    1. Advertisements

  2. I believe you can use DNAT in the PREROUTING chain to do that.

    From the man page:

    DNAT
    This target is only valid in the nat table, in the PREROUTING and OUTPUT
    chains, and user-defined chains which are only called from those chains. It
    specifies that the destination address of the packet should be modified
    (and all future packets in this connection will also be mangled), and rules
    should cease being examined. It takes one option:

    --to-destination <ipaddr>[-<ipaddr>][:port-port]
    which can specify a single new destination IP address, an inclusive
    range of IP addresses, and optionally, a port range (which is only valid if
    the rule also specifies -p tcp or -p udp). If no port range is specified,
    then the destination port will never be modified.

    Klazmon.
     
    Llanzlan Klazmon, Jun 9, 2006
    #2
    1. Advertisements

  3. Actually you need to use REDIRECT in the PREROUTING chain, using the
    --to-ports option.
     
    Allen Kistler, Jun 9, 2006
    #3
  4. The Man page says:

    ---------------------------------------------------------------------------
    --
    REDIRECT
    This target is only valid in the nat table, in the PREROUTING and OUTPUT
    chains, and user-defined chains which are only called from those chains. It
    alters the destination IP address to send the packet to the machine itself
    (locally-generated packets are mapped to the 127.0.0.1 address). It takes
    one option:

    --to-ports <port>[-<port>]
    This specifies a destination port or range or ports to use: without
    this, the destination port is never altered. This is only valid with if the
    rule also specifies -p tcp or -p udp).
    ------------------------------------------------------------------------

    Maybe I am misunderstanding this but it suggests that the destination IP
    address is changed to send the packet to the machine itself but what
    happens if there are multiple ip addresses on the incoming interface? Which
    one does the incoming packet get sent to. If the OP is running more than
    one web site with different IP addresses then there doesn't appear to be a
    way using REDIRECT to specify the correct destination IP, whereas DNAT does
    let you do this. Maybe it would be ok if it leaves the original destination
    alone if it already corresponds to a local address. Must try this out to
    see.

    Klazmon.

    Klazmon.
     
    Llanzlan Klazmon, Jun 9, 2006
    #4
  5. Ross

    Ross Guest

    I have tried:
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to
    127.0.0.1:8064
    and
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to
    127.0.0.1:8064
    and
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
    127.0.0.1:8064
    and
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
    8064

    But none of them works.
    Any further suggestions would be appreciated.
    BTW,--to-ports is invilid for DNAT.

    Ross


     
    Ross, Jun 9, 2006
    #5
  6. --to-ports doesn't take an IP address, just a port number.
    REDIRECT already means the localhost should handle it.
     
    Allen Kistler, Jun 9, 2006
    #6
  7. Ross

    Robert Guest

    Make sure the INPUT chain also accepts this port coming in. Just because
    you redirect a packet doesn't mean it's automatic accepted on the box.


    --

    Regards
    Robert

    Smile... it increases your face value!
     
    Robert, Jun 10, 2006
    #7
  8. Ross

    Ross Guest

    Yes, I did. Here was what I did:
    # iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
    # iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports
    8064

    But it doesn't work.
    Thanks for any idea.
    Ross
     
    Ross, Jun 12, 2006
    #8
  9. Check that you're not doing anything else to block packets.

    FWIW, I've got ssh running on port 22. If I do

    -t nat -A PREROUTING -m tcp -p tcp --dport 1022 \
    -j REDIRECT --to-ports 22

    then ssh from another box to port 1022, it works. So if you don't
    believe the man page, you can believe (or not) an actual example.
     
    Allen Kistler, Jun 13, 2006
    #9
  10. Ross

    Ross Guest

    Thanks a lot to everyone. It works now!
    I think I missed "-m tcp".
    This is what I have now:
    # iptables -A INPUT -p tcp -i eth0 --dport 8064 -j ACCEPT
    # iptables -t nat -A PREROUTING -m tcp -p tcp --dport 443 \
    -j REDIRECT --to-ports 8064

    Thanks again,
    Ross
     
    Ross, Jun 13, 2006
    #10
  11. Ross

    Tauno Voipio Guest

    There's an easier way: just tell sshd to listen to both
    ports, and allow only the non-conventional in the firewall
    script.
     
    Tauno Voipio, Jun 13, 2006
    #11
  12. Sorry if anything in the thread was confusing to you, but the discussion
    was NOT about ssh. It was about using netfilter, very specifically
    netfilter, to redirect ANY traffic. ssh was just an example.
     
    Allen Kistler, Jun 17, 2006
    #12
  13. Ross

    Tauno Voipio Guest

    OK. Mea culpa.

    It seems that I could not follow all the waves of the discussion.

    OT: Moving HTTP and SSH to some weird ports seems to calm
    the undesired traffic considerably, as the scripts in circulation
    seem to probe for the well-known ports only.
     
    Tauno Voipio, Jun 17, 2006
    #13
  14. Ross

    SiN Guest


    instead of using the REDIRECT directive try DNATing it ...

    iptables -t nat -A PREROUTING -m tcp -p tcp --dport 1022 -j DNAT
    --to-ports 22
     
    SiN, Jun 17, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.