Re: Redirecting incoming local ports
On Wed, 18 Jun 2003 13:32:43 -0400, Aaron <aaron@core-dev.com> wrote:
Firewall experts,
Despite searching all of the list archives, I couldn't come up with a
possible solution to this issue.
What I would like to do is accept connections from my external interface
on port 9090 and redirect them to port 80. I do not want connections to
port 80 accepted from outside at all.
I've read the HOWTOs and the tutorials and I was satisfied that this
recipe might work:
$IPTABLES -t nat -A PREROUTING -p tcp --dport 9090 \
-j REDIRECT --to-ports 80
But alas, it doesn't seem to. Then it occurred to me that since the
default target of my INPUT chain is REJECT, that I might need to
explicitly accept the packets that are (now) destined for port 80. But
this produces another problem, which is that I don't want to accept
packets inbound on port 80, I only want to accept the ones that have been
redirected to port 80.
How can I set this up? Thanks a lot!
This should work:
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DROP
$IPTABLES -t nat -A PREROUTING -p tcp --dport 9090 -j REDIRECT --to-ports
80
$IPTABLES -t nat -A INPUT -p tcp --dport 80 -j ACCEPT
The packets to port 80 are dropped even before touching the INPUT chain.
The ones accepted by INPUT rule are only those which had been redirected
from port 9090.
I'll recommend using -d your_ip/32 so you don't drop http requests being
routed by your box, and -i ext_if.
Good Luck
--
Koba
Reply to: