Port translation
Uno Engborg
uno at webworks.se
Sun Jul 13 18:08:58 UTC 2008
stan skrev:
> Uno Engborg wrote:
>> stan skrev:
>>> Uno Engborg wrote:
>>>> Rüdiger Pretzlaff skrev:
>>>>>
>>>>> Am 12.07.2008 um 12:21 schrieb Uno Engborg:
>>>>>
>>>>>> For various reasons I would like to forward trafic to port 390
>>>>>> to port 5432 on the same host. One would think this would be a
>>>>>> simple task for iptables but I have now tinkered with this for
>>>>>> two days, and I still fail to get it right.
>>>>>>
>>>>>> I have also tried :
>>>>>> iptables -t nat -A PREROUTING -p tcp --dport 390 -j DNAT --to
>>>>>> 192.168.0.5:5432
>>>>>>
>>>>>> where 192.168.0.5 is the address of the host
>>>>>>
>>>>>>
>>>>>> Any ideas on how to do this?
>>>>
>>>
>>> From the man page it looks like you need a colon on the port for
>>> DNAT (and no IP
>>> as it will stay the same if not specified, just what you want).
>>> iptables -t nat -A PREROUTING -p tcp --dport 390 -j DNAT
>>> --to-destination :5432
>>>
>>> I haven't tested, but it seems it should work.
>>>
>> Yes, removing the IP address was probably an improvemnet, but not
>> enough to make it work.
>>
>> Regards
>> Uno Engborg
>>
> You should add some LOG rules so you can see what is happening to the
> packet. They will show
> you if the port is being altered.
>
> If that doesn't work, could you post the output of iptables -n -L -v?
> That way everyone can see
> exactly what iptables is programmed to do.
>
After applying:
iptables -t nat -A PREROUTING -p tcp --dport 390 -j REDIRECT --to-port 5432
iptables -t nat -A OUTPUT -o lo -p tcp --dport 390 -j REDIRECT
--to-port 5432
iptables -t nat -L -v gives:
Chain PREROUTING (policy ACCEPT 207 packets, 17786 bytes)
pkts bytes target prot opt in out source
destination
0 0 REDIRECT tcp -- any any anywhere
anywhere tcp dpt:390 redir ports 5432
Chain POSTROUTING (policy ACCEPT 321 packets, 20656 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 319 packets, 20536 bytes)
pkts bytes target prot opt in out source
destination
2 120 REDIRECT tcp -- any lo anywhere
anywhere tcp dpt:390 redir ports 5432
And iptables -n -L -v gives:
# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
19309 24M RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- any any
anywhere anywhere
Chain OUTPUT (policy ACCEPT 23922 packets, 37M bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
7573 21M ACCEPT all -- lo any anywhere
anywhere
0 0 ACCEPT icmp -- any any anywhere
anywhere icmp any
0 0 ACCEPT ipv6-crypt-- any any anywhere
anywhere
0 0 ACCEPT ipv6-auth-- any any anywhere
anywhere
0 0 ACCEPT udp -- any any anywhere
224.0.0.251 udp dpt:5353
0 0 ACCEPT udp -- any any anywhere
anywhere udp dpt:ipp
11324 2984K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:tproxy
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:7979
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imap
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:imaps
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:squid
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:3333
1 60 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:ssh
3 136 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:smtp
202 11352 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:http
206 24045 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
Port redirection now works locally, but not on the eth0 interface.
Regards
Uno Engborg
More information about the fedora-list
mailing list