> I want to forward all the packets to port 80 and 443 to 16721 and
> using the following rules:
>
> # 80->16721->80
> ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1
> -p tcp --dport 80 -j DNAT \
> --to-destination 192.168.0.1:16721
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p
> tcp --sport 16721 -j SNAT \
> --to-source 192.168.0.1:80
>
> # 443->16721->443
> ${IPTABLES} -t nat -A PREROUTING -s 0.0.0.0/0 -d 192.168.0.1
> -p tcp --dport 443 -j DNAT \
> --to-destination 192.168.0.1:16721
> ${IPTABLES} -t nat -A POSTROUTING -s 192.168.0.1 -d 0/0 -p
> tcp --sport 16721 -j SNAT \
> --to-source 192.168.0.1:443
>
> I'm just wondering - won't the source address of packets to 443 be
> changed to 192.168.0.1:80 instead of 192.168.0.1:443 when they're
> replied to the client?
NAT will handle that, but I'm not sure if this setup is going to work :
you are forwarding both http and https to the same port.
> I don't know what type of connection tracking to use. Your help is
> appreciated.
With conntrack, you don't need the postrouting rules.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 80 \
-j ACCEPT
iptables -A FORWARD -i <if_inet> -d 192.168.0.1 -p tcp --dport 443 \
-j ACCEPT
iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 80 \
-j DNAT --to-destination 192.168.0.1:16721
iptables -t nat -A PREROUTING -i <if_inet> -p tcp --dport 443 \
-j DNAT --to-destination 192.168.0.1:16721
If I were you I'd make the webserver listen on 16722 (or whatever) for
https and forward port 443 to 16722.
Gr,
Rob
