Re: port _redirection_ within single machine | SOLUTION

To: debian-firewall@lists.debian.org
Subject: Re: port _redirection_ within single machine | SOLUTION
From: Martin Slouf <xslom03@vse.cz>
Date: Fri, 20 Aug 2004 09:32:15 +0200
Message-id: <[🔎] 20040820073215.GA3926@barbucha.martin.net>
In-reply-to: <20040819223513.B29863@ns.telnet.sk>
References: <[🔎] 20040814160420.GA6943@barbucha.martin.net> <20040819223513.B29863@ns.telnet.sk>

On Thu, Aug 19, 2004 at 10:35:13PM +0200, Matej Kovac wrote:
> On Sat, Aug 14, 2004 at 06:04:20PM +0200, Martin Slouf wrote:
> > 
> > I would like to have all requests to port 80 (nothing there) being
> > redirected to 8080 (tomcat waiting) _within_ the same machine.

it worked as i wanted -- the REDIRECT target is fine as
found later in documentation and so no DNAT or SNAT is needed.

the working rules are:

iptables -t nat -I PREROUTING --src 0/0 --dst 127.0.0.1 \
-p tcp --dport 80 -j REDIRECT --to-ports 8080

iptables -t nat -I OUTPUT --src 0/0 --dst 127.0.0.1. \
-p tcp --dport 80 -j REDIRECT --to-ports 8080

--dst is of course set to eth0 addr

my mistake and misunderstanding came from testing it with comp not
connected to network -- i was testing on localhost (as posted in
previous message) and my mistakes were:

1) i needed to redirect OUTPUT packets as well as incoming ones 
(PREROUTING chain)
2) i needed CONFIG_IP_NF_NAT_LOCAL=y in my kernel

that's all.

- - - -

and a (simple) questions once more:

im using shorewall as my iptables scripts (i found it quite simple to
set up) and im quite satisfied with it.  my questions are for shorewall
users.

1. when something is set up not correctly, the firewall ends up with
dropping all the packets -- that is not very good for distant management
and this "feature" is forcing me to write my own firewall scripts to
assure that ssh is always available at least.

i was looking in config and startup files but did not find a simple
solution -- when internally running iptables commands return with
failure, the failure is not returned from shorewall scripts (all is
returned as proper exit code 0) and so you cant react to exit
code of underlaying iptables commands -- any solutions (using debian
stable version 1.2.12).

2. the above iptables commands i placed into '/etc/shorewall/common'
file, cause i find no better suitable location for them -- is there a
file for running special user iptables commands?

thx.

> 
> aaaa prave pozeram ze ty si cech :) tak zdar :)

jasne! cau na slovensko! at zije blackhole.sk!

m.

Reply to:

Follow-Ups:
- Re: port _redirection_ within single machine | SOLUTION
  - From: Giles Nunn <giles@satproj.org.uk>

References:
- port _redirection_ within single machine
  - From: Martin Slouf <xslom03@vse.cz>

Prev by Date: Re: port _redirection_ within single machine
Next by Date: Re: port _redirection_ within single machine | SOLUTION
Previous by thread: Re: port _redirection_ within single machine
Next by thread: Re: port _redirection_ within single machine | SOLUTION
Index(es):
- Date
- Thread