iptables for port forwarding

John Lash jkl at sarvega.com
Tue Nov 30 14:26:57 CET 2004


> I tried doing this:
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT 
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
> --to 127.0.0.1:5900 
> 
> But the VNC client hangs for a while before timing out when I try to
> connect to it.
> 
> Ideas on how to achieve the desired result?
> 
> Thanks,
> 
> Nick
> 

I suspect that you won't be able to redirect to 127.x.x.x. Check out this
thread:
	https://lists.netfilter.org/pipermail/netfilter/2002-November/040104.html

He comes to the conclusion that you can't redirect packets to localhost because
the kernel refuses to route a packet from an external ip to a destination on the
127.x.x.x network. I haven't yet verified that in the code but it sounds
reasonable enough.

I played with something similar for a while and was also unsuccessful. Needless
to say, if you find a way to do this, short of hacking the routing code, please
post back. Seems to be a fairly common wish.

The usual way to forward the port to localhost is to use ssh. There are many
references to that on the net.

--john



More information about the netfilter mailing list