On Saturday 03 April 2004 6:30 pm, Bill Davidsen wrote:
> Antony Stone wrote:
> > On Saturday 03 April 2004 10:50 am, Mark Ord wrote:
> >>I have iptables setup, firewalling eth0 (the internet) extensively, and
> >>doing NAT for my lan, and some custom port forwards.
> >>
> >>One is forwarding port 81 -> 80 - due to my provider firewalling port
> >>80:
> >> iptables -t nat -I PREROUTING -p tcp --dport 81 -j REDIRECT --to 80
> >>
> >>This works for connections coming in on both eth0, and eth1. However, I
> >>can't connect to port 81 on the iptables machine (no matter what
> >>iptables rules I try).
> >
> > That rule looks fine to me, and you must obviously have an appropriate
> > INPUT rule allowing the connection to port 80 after the REDIRECT has
> > completed, otherwise you wouldn't be able to connect directly to port 80
> > which you say works fine.
> >
> > The only thing I can think to ask is whether "iptables -L -t nat -nvx"
> > shows the packet/byte counters for this rule incrementing when you do try
> > to access port 81?
> >
> > Perhaps a few judicious LOGging rules (before and after the REDIRECT in
> > the nat table, before and after the ACCEPT in the INPUT chain) will tell
> > you something useful?
>
> Actually, you need to allow port 81 in, it doesn't become 80 until after
> the rewrite.
No, PREROUTING happens before INPUT, therefore the INPUT rule needs to allow
the translated packet, not the original one.
Regards,
Antony.
--
The lottery is a tax for people who can't do maths.
Please reply to the list;
please don't CC me.
