Redirecting local port
Patrick Schaaf
bof@bof.de
Mon, 3 Dec 2001 19:48:55 +0100
Hi Tal,
On Mon, Dec 03, 2001 at 09:21:24AM -0800, Tal Dayan wrote:
>
> We are porting our rules from ipchains to iptables and are trying to use a
> similar redirection rule as suggested below.
>
> The problem is that for the redirection to work, we need to add an addition
> rule that opens the destination port (8000).
>
> Are we do somthing wrond ? In ipchains, we used to do it with a single
> redirection rule. It seems that with iptables, the redirected packet is
> subject to filtering from scratch.
That is correct. The nat and filter tables are pretty much independant;
you use the NAT table to set up conntracking entries for rewriting
the packet's headers (source or destination IP, possibly with port
mapping when masquerading or redirecting). In addition, the filter
table then sees the modified packet, and must allow that.
ipfwadm and ipchains did some things automatically, which were seperated
in the netfilter/iptables rewrite. The result is architecturally much
cleaner, but for some uses - like this - things appear slightly more
complicated.
Short summary:
The mangle table sees all packets, and maybe alters them.
The nat table sees the first packet of NEW conntracks, and reroutes.
The filter table alone decides whether to let any packet pass.
Logical, isn't it?
best regards
Patrick