On Fri, May 11, 2007 at 10:38:56AM +0200, Lorenzo wrote:
John R Pierce ha scritto:
Jeff Potter wrote:
Thanks, Florin and Robert, for your suggestions.
I'm still stumped, though.
This rule looks to be the REDIRECT rule that Robert suggests. Unfortunately, as I have it written here, it fail instantly -- telnetting to port 80 causes an instant error. iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 127.0.0.1:8080
This gets packets in, but no reply: iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j DNAT --to-destination 127.0.0.1:8080
IIRC, you need TWO commands to setup a port forward with iptables, one for the incoming like you've specified, and another to handle the response.
classic example is...
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx \ --dport 8888 -j DNAT --to 192.168.0.2:80 iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
I'm not sure if this will work.
You may need to also SNAT to 127.0.0.0/8 as well to make this work... something like:
iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d 64.61.61.112 \ --dport 80 -j DNAT --to 127.0.0.1:8080 iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0 \ --dport 8080 -j SNAT --to 127.0.0.1
And of course you'd need to make sure your FORWARD rules and such are accepting. Best bet is to just make iptables ACCEPT everything by default (policy) until you have this working. :)
That or create a sub-interface on lo with RFC1918 address space and not within 127.0.0.0/8.
Maybe someone else can confirm or deny that there are special restrictions involving the loopback IP's ?
Ray