REDIRECTing with iptables in the ipchains fashion
KORN Andras
korn@chardonnay.math.bme.hu
Sat, 1 Apr 2000 19:06:36 +0200
Hi,
please Cc: any replies to korn@chardonnay.math.bme.hu as I'm not on the
list. Thanks.
I've read the Linux 2.4 NAT HOWTO and it is not entirely clear to me how I
can accomplish the following:
I want incoming packets from all but some source addresses to a certain port
on my box to be forwarded to a different port on my box. With ipchains I did
something like:
ipchains -A input -p tcp -d myip port -j chain
ipchains -A chain -s someaddress1 -j ACCEPT
ipchains -A chain -s someaddress2 -j ACCEPT
ipchains -A chain -j REDIRECT otherport
With iptables, I can't just add a DNAT rule to the PREROUTING chain, because
packets from someaddress1 and 2 would be redirected as well.
It seems to me that the best (perhaps only) way to handle this situation
would be to move the whole thing to the nat table, like so:
iptables -t nat -N chain
iptables -t nat -A PREROUTING -p tcp -d myip --dport port -j chain
iptables -t nat -A chain someaddress1 -j ACCEPT
iptables -t nat -A chain someaddress2 -j ACCEPT
iptables -t nat -A chain -j REDIRECT --to-port otherport
Is that right?
Locally generated packets do not traverse the PREROUTING chain, do they? If
they don't, I have to add the second rule above to the OUTPUT chain as well,
don't I? (Please disregard issues of optimity here. :)
Andrew
--
Andrew Korn (Korn Andras) <korn@eik.bme.hu> http://goliat.eik.bme.hu/~korn
Finger korn@goliat.eik.bme.hu for pgp key. Homepage is obsolete. QOTD:
Love is being stupid together. -- Paul Valery