Henrik Martin wrote:
All I want to do is run my web server as an ordinary user and having
it bind to port 8080 and then have my firewall redirect traffic from
port 80 to 8080. I have a firewall running on the local machine and I
only let through ports 80, 443, and SSH. I'm using the SuSEFirewall
utilities to create this. At first, I tried setting the REDIRECT
variable in SuSE's own firewall to do the port forwarding, but
couldn't get it to work. So I've basically pared it down to where I've
disabled the SuSE firewall, and I'm just doing the following on the
command line:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
The output rule will never be hit, the packet is already redirected by
the predirect rule. You don't need that second rule.
If I log into an external machine and try to telnet to my web server's
port, I can see the PREROUTING chain's packet counter increase, but
not the OUTPUT. I'm not able to connect.
So this is expected.
# iptables --list -n -t nat -v
Chain PREROUTING (policy ACCEPT 140K packets, 42M bytes)
pkts bytes target prot opt in out source destination
3 180 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
Chain POSTROUTING (policy ACCEPT 140K packets, 42M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 763 packets, 56801 bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
What am I doing wrong? Is this a bug, or is it the way I'm configuring
the firewall?
This should work. It works for me, I use redirects quite frequently. The
only thing I can think of is that the webserver listens on a specific IP
and you try to connect to another.
HTH,
M4
