[CentOS] NAT from eth0:0 port 80 to lo port 8080?

Fri May 11 13:21:13 UTC 2007
Ray Van Dolson <rvandolson at esri.com>

On Fri, May 11, 2007 at 10:38:56AM +0200, Lorenzo wrote:
> John R Pierce ha scritto:
> >Jeff Potter wrote:
> >>
> >>Thanks, Florin and Robert, for your suggestions.
> >>
> >>I'm still stumped, though.
> >>
> >>This rule looks to be the REDIRECT rule that Robert suggests. 
> >>Unfortunately, as I have it written here, it fail instantly -- 
> >>telnetting to port 80 causes an instant error.
> >>    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT 
> >>--to-ports 127.0.0.1:8080
> >>
> >>This gets packets in, but no reply:
> >>    iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j 
> >>DNAT --to-destination 127.0.0.1:8080
> >
> >IIRC, you need TWO commands to setup a port forward with iptables, one 
> >for the incoming like you've specified, and another to handle the response.
> >
> >classic example is...
> >
> >iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx   \
> >         --dport 8888 -j DNAT --to 192.168.0.2:80
> >iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT
> >

I'm not sure if this will work.

You may need to also SNAT to 127.0.0.0/8 as well to make this work...
something like:

iptables -A PREROUTING -t nat -p tcp -m tcp -i eth0 -d 64.61.61.112 \
  --dport 80 -j DNAT --to 127.0.0.1:8080
iptables -A POSTROUTING -t nat -p tcp -m tcp -o lo -d 127.0.0.0 \
  --dport 8080 -j SNAT --to 127.0.0.1

And of course you'd need to make sure your FORWARD rules and such are
accepting.  Best bet is to just make iptables ACCEPT everything by
default (policy) until you have this working. :)

That or create a sub-interface on lo with RFC1918 address space and not
within 127.0.0.0/8.

Maybe someone else can confirm or deny that there are special
restrictions involving the loopback IP's ?

Ray