[CentOS] iptables port forwarding

Ljubomir Ljubojevic office at plnet.rs
Tue Jun 28 08:05:25 UTC 2011


Christopher Chan wrote:
> On Tuesday, June 28, 2011 02:38 AM, Ljubomir Ljubojevic wrote:
>> John R Pierce wrote:
>>> On 06/27/11 10:43 AM, Ljubomir Ljubojevic wrote:
>>>>> note that doesn't show all the pertinent info. I prefer `iptable -L
>>>>> -vn`, and it still doesn't show the nat tables, you also need
>>>>> `iptable -L -vn -t nat` to see those chains, and `iptable -L -vn -t
>>>>> mangle` if you're using any mangle entries.
>>>>
>>>> iptables-save is designed for iptables output.
>>>
>>> sure, for saving to the startup scripts.... the commands I listed
>>> above were to display the tables with full info... Without the -v
>>> flag, -L only shows part of the important stuff.
>>>
>> iptables-save man:
>>
>> DESCRIPTION:
>> iptables-save is used to dump the contents of an IP Table in easily
>> parseable format to STDOUT. Use I/O-redirection provided by your shell
>> to write to a file.
>>
> 
> You seem to have a problem understanding what John is saying. When you 
> add the v flag, iptables will also report in/out interfaces so that you 
> don't have to guess when you are trying to fix up the rules on the spot 
> and not by editing some file.
> 

My point should have been that listing digested result with "iptables 
-L..." is not what we needed from OP. In order to help him solve his 
problem, he needed to output his *rules*. not a "nice presentation of 
used rules".

With  iptables-save he/we could see actual rules used for creating 
Fedora and CentOS firewall, so he/we can use that output to suggest 
exact rules he needs.

I started wrestling with iptables rules in 2005 when I started working 
as networking admin and had to solve some very hard problems including 
policy routing, marking packets in right order, etc. Since then gained a 
lot of experience in helping others (on several forum sites) understand 
what they have and what they need to add/remove/change.

With iptables-save you get reusable output and all you need to do is to 
say "used this, this, and that rule, change that one and remove that 
one, and it should work", so there is no chance of making an error in 
converting (retyping) iptables -L to actual rules already provided with 
iptables-save.

Ljubomir



More information about the CentOS mailing list