SV: SV: Port forwarding
Andre Speelmans
andre at as.no-ip.com
Wed Jan 26 14:40:07 UTC 2005
Andy wrote:
> > This last one should read:
> > iptables -t nat -A POSTROUTING -p tcp --sport 80 -s 65.114.4.69 \
> > -j SNAT --to-source <your external IP address on this machine>
>
> NO! that doesn't make sense. In http/https connections, the source port
> is an arbitrary high port, and the _destination_ port is 80/443.
From the viewpoint of the client yes. But this is the server that
should be natted (if not: again my apologies. As stated in my original
reply I haven't followed this thread and gave the answer to what I
assumed to be the question). The source-port from the server is 80/443.
Traffic from the client arriving at the gateway must be forwarded to the
web server.
Therefore you'll need PREROUTING rules having destination-port 80/443
and change to destination to the IP-address of the web server.
Replies coming from the web server must change it's source IP. Those
packets have source-ports 80/443 and go in POSTROUTING.
The above line will do that correctly for HTTP.
> In order to forward the https trafic either change "80" to "443" end up
> with 4 lines, 2 PREROUTING and 2 POSTROUTING or use the multiport
> extension: "-m multiport --dports 80,443" in both lines of the original
> example.
And on this we agree :)
--
Regards, Andre
More information about the fedora-list
mailing list