simple port redirect

[rurikc]

Hi,

I want to do a simple port redirect, i.e. whatever comes trough whatever interface on port AAAA will get redirected to port BBBB

I thought that

iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp --dport AAAA -j REDIRECT --to-ports BBBB

however it doesn't work, e.g.
nc -v -w2 -z localhost AAAA
gives:
nc: connect to localhost port AAAA (tcp) failed: Connection refused
while
nc -v -w2 -z localhost BBBB
gives:
Connection to localhost BBBB port [....] succeeded!

I suspect that I am missing something obvious but what ?

(there is no firewall and net.ipv4.ip_forward=1)

Cheers,

[madhavdiwan]

you are using the wrong target

what you want to do , with the same syntax , is called port forwarding

and the target is DNAT

Quote:

/sbin/iptables -t nat -A PREROUTING -p tcp --source 0/0 -d 0/0
--dport 8888 -j DNAT --to 192.168.0.2:80

by the way do not forget you need a rule for FORWARD , because , iptables IS a firewall

[William Haller]

/sbin/iptables -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp --dport 80 -j REDIRECT --to-port 8081

works here to reroute http to dansguardian on our gateway. That may not be what you are trying to do, but at least it's a working example.

(Also have /sbin/iptables -A In-LAN -i + -p tcp -m tcp --sport 1024:65535 --dport 8081 -m state --state NEW -j ACCEPT as part of the main firewall configuration).

[rurikc]

Quote:

Originally Posted by madhavdiwan

you are using the wrong target

what you want to do , with the same syntax , is called port forwarding

and the target is DNAT

madhavdiwan,

My understanding is that DNAT is for forwarding to another IP

What I want is on the same IP (machine if you will)

I.e. I have server responding on port AAAA, I want also to respond if a request comes to port BBBB. My understanding was that a simple REDIRECT will do just that: move the packets from BBBB to AAAA

Quote:

Originally Posted by madhavdiwan

by the way do not forget you need a rule for FORWARD , because , iptables IS a firewall

Even if there are no other rules ? (everything set to ACCEPT ?) can you give an example ?

Thanks.

Cheers,

[madhavdiwan]

the use of FORWARD rules depends on what your default Iptables FORWARD policy is set to.

most defualt policies that come with a distro, are set to accept everything , and rely on rules to deny

You are correct DNAT is usually for another IP, but does not have to be, If you want to keep the packet on the same machine , you could follow William Haller's example from his post

[Gödel]

Actually, port forwarding can be local. And you can do it via the Firewall gui under the port forwarding section.

Once you have used the gui to do it, you can then type 'iptables-save' (as root) to see what commands were used:

eg if I forward port 9090 to 9091 locally on interface eth0 I get:

*nat
...
-A PREROUTING -i eth0 -p tcp -m tcp --dport 9090 -j DNAT --to-destination :9091
...
*filter
...
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 9091 -j ACCEPT
...

[rurikc]

Quote:

Originally Posted by Gödel

Actually, port forwarding can be local. And you can do it via the Firewall gui under the port forwarding section.

...

This is bizarre:

So I did used the firewall gui (system-config-firewall),

it did put in the rules as I expected and it still doesn't work

???

(this is a stock fedora kernel 2.6.31.12-174.2.3.fc12.x86_64 with nvidia on top)

[Gödel]

It would work if you specify the lan network interface in the iptables rule, and run the nc command from another machine on the lan.

But by default iptables doesn't filter loopback traffic, and I'm not sure how you would set it up (breaking loopback traffic will break lots of local services). If you need to enable this locally for testing puprposes then an easier solution would perhaps be to use something like socat:

Code:

yum install socat
socat TCP-LISTEN:AAAA,fork TCP:localhost:BBBB &

then run your tests, if it works locally and you finish testing then you can kill the socat process, and the iptables rules explained above will route the packets for incoming network connections.

To do it via iptables would require a filter table rule on the OUTPUT chain I assume, but I've not done this before so can't advise on that (The Firewall gui doesn't even have the loopback device lo in the interface list, so I assume it's not trivial or common)

---------- Post added at 04:16 PM CST ---------- Previous post was at 01:59 PM CST ----------

experimented this afternoon, and it's pretty straightforward actually, applying a rule to the OUTPUT chain in the nat table (not filter as I incorrectly suggested above)

Code:

iptables -t nat -A OUTPUT -p tcp --dport AAAA -j REDIRECT --to-ports BBBB

now (assuming something is listening on tcp port BBBB)

Code:

nc -v -w2 -z localhost AAAA
nc: connect to localhost port AAAA (tcp) failed: Connection refused
Connection to localhost AAAA port [tcp/*] succeeded!

the first Connection refused appears because the iptablesl only does ipv4 forwarding, and there are two localhost addresses defined in /etc/hosts, ::1 for ipv6 and 127.0.0.1 for ipv4 you can check with telnet:

Code:

$ telnet localhost AAAA
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.

you won't get the refused message if you explicitly use 127.0.0.1

Code:

$ nc -v -w2 -z 127.0.0.1 AAAA
Connection to 127.0.0.1 AAAA port [tcp/*] succeeded!

(you need ip6tables for ipv6 rules)

[madhavdiwan]

.. OR

use the DNAT target

[Gödel]

Quote:

Originally Posted by madhavdiwan

.. OR

use the DNAT target

I think you missed my update to the previous post, you can do it with a simple rule on the OUTPUT chain of the nat table

Code:

iptables -t nat -A OUTPUT -p tcp --dport AAAA -j REDIRECT --to-ports BBBB

[madhavdiwan]

not at all , i appreciate the fact that you found an answer, and did the research to prove it.
really , i was just pointing out that there is more than one way to do things.