Hello,
Holger Kinkelin a écrit :
I'm more or less new to netfilter / iptables; so I've got a question
about DNAT.
My problem is, that my DNAT won't work. I want to reroute http-pakets
to server X to my own server running on localhost.
The first command I tried was the following:
iptables -A PREROUTING -t nat -p tcp -d [IP OF X] --dport 80 \
-j DNAT --to-destination 127.0.0.1:80
Don't DNAT connections from the outside to a loopback address. It won't
work because the input routing, which takes place right after the
PREROUTING chain, will drop packets to any destination in 127.0.0.0/8
received on any interface other than lo. So you can only reach these
destinations from the local host. Use the REDIRECT target instead, or
DNAT to the local address of the input interface.
But: There is no effect. When I try to open a page hostet on X, the
page loads from X, not from localhost...
So I tried
iptables -A PREROUTING -t nat -p tcp -d [IP OF X] --dport 80 -j REDIRECT
No effect, too
If the source of the HTTP connection is the local host, you must put
this rule in the OUTPUT chain instead of PREROUTING. By the way, you can
use "DNAT --to 127.0.0.1" this time, because it's a local host
communication. Make sure trafic on the interface lo is allowed.
