On Sat, 2013-02-16 at 12:35 +0100, Pascal Hambourg wrote: > Hello, > > Andrew Beverley a écrit : > > On Fri, 2013-02-15 at 11:24 -0500, John Corps wrote: > >> > >> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport > >> 53 -j REDIRECT --to-ports 53 > >> iptables -t nat -A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport > >> 53 -j REDIRECT --to-ports 53 > > > > If you want to redirect the requests to the local server, then you'll > > need to use the DNAT target instead. All you're doing in your rules is > > changing to port 53 a packet that is destined to port 53 (so nothing at > > all). > > Nonsense. You should read the manpage more carefully. > > QUOTE > REDIRECT > This target is only valid in the nat table, in the PREROUTING and OUT- > PUT chains, and user-defined chains which are only called from those > chains. It redirects the packet to the machine itself by changing the > destination IP to the primary address of the incoming interface > (locally-generated packets are mapped to the 127.0.0.1 address). > END OF QUOTE Okay, I stand corrected, although I personally would still use the DNAT target for that use-case :) Incidentally, the manpage stipulates "--to-ports" but the earlier example in the same manpage is "--to-port". Both seem to be accepted. Any difference? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
