Hello,
David Gowdy a écrit :
I'm using a Linux system running Netfilter a the primary gateway for
my Internet service. This includes the use of port forwarding (DNAT)
for accessing some servers. Right now the servers include FTP (port
21) and HTTP/HTTPS (port 80/443). It all seems to work nicely with
one notable exception. I cannot forward anything to port 80. I've
tried using several different external ports (i.e., 21, 60, 81) but
nothing works.
(I reordered the rule listing in the order chains are traversed by a
forwarded packet)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere
pool-71-163-168-209.washdc.fios.verizon.nettcp dpt:81 to:10.0.0.12:80
So port 81 is DNATed to port 80.
Chain FORWARD (policy DROP)
target prot opt source destination
[...]
ACCEPT tcp -- anywhere anywhere tcp dpt:81
state NEW,RELATED,ESTABLISHED
The FORWARD chains are traversed after the PREROUTING chains, so the
port has already been translated and the rule should match the final
destination port 80, not the original port 81.
Also, for better security the rule should only match the destination
address 10.0.0.12, not any address.
Finally, the RELATED state is superfluous : an HTTP packet would never
be in that state.
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Note : this rule should be at the beginning of the chain instead of the
end because it matches most of the traffic.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
