Hi
I am trying to forward port 80 to 8080 locally using iptables with the following
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
However this does not get put into the iptables configuration even after running iptables-save
Have i missed something along the way?
thanks
Hi,
On Thu, Oct 23, 2008 at 09:15, Tom Brown tom@ng23.net wrote:
However this does not get put into the iptables configuration even after running iptables-save
iptables-save will only output the rules in a way that iptables-restore will be able to rebuild the rules from.
If what you want is for these rules to be up when you boot the machine, what you want is probably "service iptables save", which will use iptables-save to record these rules to /etc/sysconfig/iptables, and a script automatically calls iptables-restore to read that file upon boot.
HTH, Filipe
iptables-save will only output the rules in a way that iptables-restore will be able to rebuild the rules from.
If what you want is for these rules to be up when you boot the machine, what you want is probably "service iptables save", which will use iptables-save to record these rules to /etc/sysconfig/iptables, and a script automatically calls iptables-restore to read that file upon boot.
thanks - once added do i need to do anything to make these 'live' ? I imagine that a iptables restart will cut off current connections ? Is there not a 'reload' or similar?
thanks
Hi,
On Thu, Oct 23, 2008 at 10:01, Tom Brown tom@ng23.net wrote:
thanks - once added do i need to do anything to make these 'live' ? I imagine that a iptables restart will cut off current connections ? Is there not a 'reload' or similar?
AFAIK, "service iptables restart" does not cut off current connections. The stateful connections are kept by the conntrack module, which I believe will not be cleared on a restart of iptables, and "service iptables restart" also uses iptables-restore, which does the changes atomically instead of one by one.
However, don't blindly follow what I'm saying here, this is all from memory and I might be wrong. If you really need to know it, verify it on a test environment before you do it on the production one.
HTH, Filipe
AFAIK, "service iptables restart" does not cut off current connections. The stateful connections are kept by the conntrack module, which I believe will not be cleared on a restart of iptables, and "service iptables restart" also uses iptables-restore, which does the changes atomically instead of one by one.
However, don't blindly follow what I'm saying here, this is all from memory and I might be wrong. If you really need to know it, verify it on a test environment before you do it on the production one.
yes of course - thanks for all assistance
Tom Brown wrote:
I am trying to forward port 80 to 8080 locally using iptables with the following
/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
However this does not get put into the iptables configuration even after running iptables-save
Have i missed something along the way?
Try adding it manually to the iptables config.
# vim /etc/sysconfig/iptables
And then restart iptables.
Regards, Max
Max Hetrick wrote:
Chan Chung Hang Christopher wrote:
Not recommended. Do 'service iptables save' as Filipe posted.
I've never had any issues doing so. I know Johnny has recommended that several times on the list as well. If he says it works, then I would say it can't hurt. ;)
YMMV. I prefer to build one via iptables, save it, then copy the file across to all other hosts that use the same rules.
Christopher Chan wrote:
YMMV. I prefer to build one via iptables, save it, then copy the file across to all other hosts that use the same rules.
Your preferred method and mine might be different, but the end result is the same, so what does it really matter? That's rhetorical by the way, because we both answered his question.
Let this thread die now since the question was answered.
Max
On Thursday 23 October 2008 09:53, Chan Chung Hang Christopher wrote:
Try adding it manually to the iptables config.
# vim /etc/sysconfig/iptables
And then restart iptables.
Not recommended. Do 'service iptables save' as Filipe posted.
You will need to explain why this is 'Not recommended'. I do this all the time without issues. In fact this is how I build my tables. No GUI or save options.
Robert Spangler wrote:
On Thursday 23 October 2008 09:53, Chan Chung Hang Christopher wrote:
Try adding it manually to the iptables config.
# vim /etc/sysconfig/iptables
And then restart iptables.
Not recommended. Do 'service iptables save' as Filipe posted.
You will need to explain why this is 'Not recommended'.
Never had typos?
I do this all the time without issues.
Good for you.
In fact this is how I build my tables. No GUI or save options.
Heh. /me chops down RH-Firewall-1 on sight.
On Fri, Oct 24, 2008 at 08:25:40AM +0800, Christopher Chan wrote:
Robert Spangler wrote:
On Thursday 23 October 2008 09:53, Chan Chung Hang Christopher wrote:
Try adding it manually to the iptables config.
# vim /etc/sysconfig/iptables
And then restart iptables.
Not recommended. Do 'service iptables save' as Filipe posted.
You will need to explain why this is 'Not recommended'.
Never had typos?
What's your point? Typos can happen whenever the keyboard is used for typing. :) That is regardless if the typing goes into a GUI, a command line, or file editing.
We are however supposed to test our doings. Then most errors get revealed, be them dumb typos or the more astute kind.
BTW, I also prefer a nicely commented rules file instead of the dry list dumped by iptables-save.
Mihai
-
Chan Chung Hang Christopher -
Christopher Chan
-
Filipe Brandenburger -
Max Hetrick -
Mihai T. Lazarescu -
Robert Spangler -
Tom Brown