[CentOS] NAT from eth0:0 port 80 to lo port 8080?
Jeff Potter
jpotter-centos at codepuppy.com
Fri May 11 00:24:32 UTC 2007
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests.
Unfortunately, as I have it written here, it fail instantly --
telnetting to port 80 causes an instant error.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-
ports 127.0.0.1:8080
This gets packets in, but no reply:
iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j
DNAT --to-destination 127.0.0.1:8080
Florin, I did try running tcpdump before -- good to hear this was a
sound way to debug this; the above "no reply" rule shows the
following packet:
19:47:07.707346 IP [my laptop's ip address].39679 >
64.61.61.112.http: S 4212369272:4212369272(0) win 5840 <mss
1460,sackOK,timestamp 1264677320 0,nop,wscale 2>
So, I'm still stumped.
The exact iptables rules are below.
Any other thoughts? There's not something besides /proc/sys/net/ipv4/
ip_forward that needs to be twiddled, is there?
best,
Jeff
> % iptables -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 197 20881 RH-Firewall-1-INPUT all -- any any
> anywhere anywhere
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 RH-Firewall-1-INPUT all -- any any
> anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT 139 packets, 36106 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> pkts bytes target prot opt in out source
> destination
> 8 1688 ACCEPT all -- lo any anywhere
> anywhere
> 1 84 ACCEPT icmp -- any any anywhere
> anywhere icmp any
> 0 0 ACCEPT ipv6-crypt-- any any
> anywhere anywhere
> 0 0 ACCEPT ipv6-auth-- any any
> anywhere anywhere
> 0 0 ACCEPT udp -- any any anywhere
> 224.0.0.251 udp dpt:5353
> 0 0 ACCEPT udp -- any any anywhere
> anywhere udp dpt:ipp
> 181 18689 ACCEPT all -- any any anywhere
> anywhere state RELATED,ESTABLISHED
> 2 120 ACCEPT tcp -- any any anywhere
> anywhere state NEW tcp dpt:ssh
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state NEW tcp dpt:http
> 0 0 ACCEPT tcp -- any any anywhere
> anywhere state NEW tcp dpt:webcache
> 5 300 ACCEPT tcp -- eth1 any anywhere
> anywhere tcp dpt:5666
> 0 0 REJECT all -- any any anywhere
> anywhere reject-with icmp-host-prohibited
--
Jeff Potter
http://www.atof.net/go/boston
More information about the CentOS
mailing list