Re: Redirecting incoming local ports
On Wed, Jun 18, 2003 at 01:32:43PM -0400, Aaron wrote:
> Despite searching all of the list archives, I couldn't come up with a
> possible solution to this issue.
>
> What I would like to do is accept connections from my external
> interface on port 9090 and redirect them to port 80. I do not want
> connections to port 80 accepted from outside at all.
>
> I've read the HOWTOs and the tutorials and I was satisfied that this
> recipe might work:
>
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 9090 \
> -j REDIRECT --to-ports 80
>
> But alas, it doesn't seem to. Then it occurred to me that since the
> default target of my INPUT chain is REJECT, that I might need to
> explicitly accept the packets that are (now) destined for port 80. But
> this produces another problem, which is that I don't want to accept
> packets inbound on port 80, I only want to accept the ones that have
> been redirected to port 80.
>
> How can I set this up? Thanks a lot!
By approaching the problem slightly differently. Configure your web
server to listen on 127.0.0.1:80 and then forward the incoming
connection to that IP and port. Should work just fine, and then you
don't have worry about all sorts of tagging and matching hurdles.
How the above is done depends on what tables you are using and what the
policy on their chains are. Below is the logic my firewall script uses
to setup port forwards:
#<PORT FORWARDS>
for PORT_FORWARD in $PORT_FORWARDS ; do
# seperate Local and Remote
EXT_F=`echo $PORT_FORWARD | cut -f1 -d-`
INT_F=`echo $PORT_FORWARD | cut -f2 -d-`
# seperate IP and Port for both Local and Remote
E_IP=`echo $EXT_F | sed "s/(.*)//g"`
E_PORT=`echo $EXT_F | sed "s/.*(\|)//g"`
I_IP=`echo $INT_F | sed "s/(.*)//g"`
I_PORT=`echo $INT_F | sed "s/.*(\|)//g"`
echo -n "Forwarding $EXT_F to $INT_F:"
$IPTABLES -t filter -I FORWARD -p tcp -d $I_IP \
--dport $I_PORT -j ACCEPT && \
$IPTABLES -t filter -I FORWARD -p udp -d $I_IP \
--dport $I_PORT -j ACCEPT && \
$IPTABLES -t nat -I POSTROUTING -p tcp -d $I_IP \
--dport $I_PORT -j ACCEPT && \
$IPTABLES -t nat -I POSTROUTING -p udp -d $I_IP \
--dport $I_PORT -j ACCEPT && \
$IPTABLES -t mangle -I PREROUTING -p tcp -d $E_IP \
--dport $E_PORT -j ACCEPT && \
$IPTABLES -t mangle -I PREROUTING -p udp -d $E_IP \
--dport $E_PORT -j ACCEPT && \
$IPTABLES -t nat -I PREROUTING -p tcp -d $E_IP --dport $E_PORT \
-j DNAT --to-destination "$I_IP:$I_PORT" && \
$IPTABLES -t nat -I PREROUTING -p udp -d $E_IP --dport $E_PORT \
-j DNAT --to-destination "$I_IP:$I_PORT" && \
# logic here for internal clients attempting to connnect
# to external IP and port that have been forwarded internally.
for INT_NETWORK in $INT_NETWORKS; do
$IPTABLES -t nat -I POSTROUTING -p tcp -d $I_IP \
-s $INT_NETWORK --dport $I_PORT \
-j SNAT --to $INT_IP && \
$IPTABLES -t nat -I POSTROUTING -p udp -d $I_IP \
-s $INT_NETWORK --dport $I_PORT \
-j SNAT --to $INT_IP
done
success $"Forwarding $EXT_F to $INT_F:" || \
failure $"Forwarding $EXT_F to $INT_F:"
echo ""
done
#</PORT FORWARDS>
--
Jamin W. Collins
This is the typical unix way of doing things: you string together lots
of very specific tools to accomplish larger tasks. -- Vineet Kumar
Reply to: