stan skrev:
Uno Engborg wrote:
stan skrev:
Uno Engborg wrote:
Rüdiger Pretzlaff skrev:
Am 12.07.2008 um 12:21 schrieb Uno Engborg:
For various reasons I would like to forward trafic to port 390
to port 5432 on the same host. One would think this would be a
simple task for iptables but I have now tinkered with this for
two days, and I still fail to get it right.
I have also tried :
iptables -t nat -A PREROUTING -p tcp --dport 390 -j DNAT --to
192.168.0.5:5432
where 192.168.0.5 is the address of the host
Any ideas on how to do this?
From the man page it looks like you need a colon on the port for
DNAT (and no IP
as it will stay the same if not specified, just what you want).
iptables -t nat -A PREROUTING -p tcp --dport 390 -j DNAT
--to-destination :5432
I haven't tested, but it seems it should work.
Yes, removing the IP address was probably an improvemnet, but not
enough to make it work.
Regards
Uno Engborg
You should add some LOG rules so you can see what is happening to the
packet. They will show
you if the port is being altered.
If that doesn't work, could you post the output of iptables -n -L -v?
That way everyone can see
exactly what iptables is programmed to do.
After applying:
iptables -t nat -A PREROUTING -p tcp --dport 390 -j REDIRECT --to-port 5432
iptables -t nat -A OUTPUT -o lo -p tcp --dport 390 -j REDIRECT
--to-port 5432
iptables -t nat -L -v gives:
Chain PREROUTING (policy ACCEPT 207 packets, 17786 bytes)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- any any anywhere
anywhere tcp dpt:390 redir ports 5432
Chain POSTROUTING (policy ACCEPT 321 packets, 20656 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 319 packets, 20536 bytes)
pkts bytes target prot opt in out source
destination
2 120 REDIRECT tcp -- any lo anywhere
anywhere tcp dpt:390 redir ports 5432
And iptables -n -L -v gives:
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
19309 24M RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain OUTPUT (policy ACCEPT 23922 packets, 37M bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
7573 21M ACCEPT all -- lo any anywhere
anywhere
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere
anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere
anywhere
0 0 ACCEPT udp -- any any anywhere
224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:ipp
11324 2984K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:tproxy
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:7979
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imap
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imaps
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:squid
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:3333
1 60 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:ssh
3 136 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
202 11352 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:http
206 24045 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
Port redirection now works locally, but not on the eth0 interface.
Regards
Uno Engborg
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
