On Fri, 6 Aug 2004, Jamie Lokier wrote:
Damian Gatabria wrote:iptables -t nat -A PREROUTING -p tcp -i eth0 -m multiport \ --dports mysql -j DNAT --to some.other.host
changing "some.other.host" to 127.0.0.1 doesn't work as expected, and packets seem to be dropped altogether. Using tcpdump i can see packets reaching eth0, but never reaching loopback.
Is there any way to make iptables do what i'm looking for? Any help will be greatly appreciated.
Use -j REDIRECT instead of DNAT.
Not the same thing. REDIRECT requires the service redirected to to be listening on the primary address of the interface where the traffic is accepted.
The reason why DNAT to 127.X does not work is due to the security restrictions of loopback addresses. It MAY work if you also SNAT to 127.X but I am not entirely sure..
What you can do is to configure a ip-alias on the loopback interface having an address outside of 127.X and DNAT to this address.
Regards Henrik - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
