[CentOS] NAT from eth0:0 port 80 to lo port 8080?

Fri May 11 00:24:32 UTC 2007
Jeff Potter <jpotter-centos at codepuppy.com>

Thanks, Florin and Robert, for your suggestions.

I'm still stumped, though.

This rule looks to be the REDIRECT rule that Robert suggests.  
Unfortunately, as I have it written here, it fail instantly --  
telnetting to port 80 causes an instant error.
	iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to- 
ports 127.0.0.1:8080

This gets packets in, but no reply:
	iptables -t nat -A PREROUTING -p tcp -d 64.61.61.112 --dport 80 -j  
DNAT --to-destination 127.0.0.1:8080

Florin, I did try running tcpdump before -- good to hear this was a  
sound way to debug this; the above "no reply" rule shows the  
following packet:
	19:47:07.707346 IP [my laptop's ip address].39679 >  
64.61.61.112.http: S 4212369272:4212369272(0) win 5840 <mss  
1460,sackOK,timestamp 1264677320 0,nop,wscale 2>

So, I'm still stumped.

The exact iptables rules are below.

Any other thoughts? There's not something besides /proc/sys/net/ipv4/ 
ip_forward that needs to be twiddled, is there?

best,
Jeff

> % iptables -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source                
> destination
>   197 20881 RH-Firewall-1-INPUT  all  --  any    any      
> anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source                
> destination
>     0     0 RH-Firewall-1-INPUT  all  --  any    any      
> anywhere             anywhere
>
> Chain OUTPUT (policy ACCEPT 139 packets, 36106 bytes)
> pkts bytes target     prot opt in     out     source                
> destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> pkts bytes target     prot opt in     out     source                
> destination
>     8  1688 ACCEPT     all  --  lo     any     anywhere              
> anywhere
>     1    84 ACCEPT     icmp --  any    any     anywhere              
> anywhere            icmp any
>     0     0 ACCEPT     ipv6-crypt--  any    any      
> anywhere             anywhere
>     0     0 ACCEPT     ipv6-auth--  any    any      
> anywhere             anywhere
>     0     0 ACCEPT     udp  --  any    any     anywhere              
> 224.0.0.251         udp dpt:5353
>     0     0 ACCEPT     udp  --  any    any     anywhere              
> anywhere            udp dpt:ipp
>   181 18689 ACCEPT     all  --  any    any     anywhere              
> anywhere            state RELATED,ESTABLISHED
>     2   120 ACCEPT     tcp  --  any    any     anywhere              
> anywhere            state NEW tcp dpt:ssh
>     0     0 ACCEPT     tcp  --  any    any     anywhere              
> anywhere            state NEW tcp dpt:http
>     0     0 ACCEPT     tcp  --  any    any     anywhere              
> anywhere            state NEW tcp dpt:webcache
>     5   300 ACCEPT     tcp  --  eth1   any     anywhere              
> anywhere            tcp dpt:5666
>     0     0 REJECT     all  --  any    any     anywhere              
> anywhere            reject-with icmp-host-prohibited



--
Jeff Potter
http://www.atof.net/go/boston