Re: SV: SV: Port forwarding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Andy wrote:

 > This last one should read:
 > iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 65.114.4.69 \
 >         -j SNAT --to-source <your external IP address on this machine>

NO! that doesn't make sense. In http/https connections, the source port
is an arbitrary high port, and the _destination_ port is 80/443.

From the viewpoint of the client yes. But this is the server that should be natted (if not: again my apologies. As stated in my original reply I haven't followed this thread and gave the answer to what I assumed to be the question). The source-port from the server is 80/443.


Traffic from the client arriving at the gateway must be forwarded to the web server.
Therefore you'll need PREROUTING rules having destination-port 80/443 and change to destination to the IP-address of the web server.


Replies coming from the web server must change it's source IP. Those packets have source-ports 80/443 and go in POSTROUTING.
The above line will do that correctly for HTTP.


In order to forward the https trafic either change "80" to "443" end up with 4 lines, 2 PREROUTING and 2 POSTROUTING or use the multiport extension: "-m multiport --dports 80,443" in both lines of the original example.

And on this we agree :)

--
Regards, Andre


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux