iptables for port forwarding

John Lash jkl at sarvega.com
Tue Nov 30 14:26:57 CET 2004

> I tried doing this:
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT 
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
> --to 
> But the VNC client hangs for a while before timing out when I try to
> connect to it.
> Ideas on how to achieve the desired result?
> Thanks,
> Nick

I suspect that you won't be able to redirect to 127.x.x.x. Check out this

He comes to the conclusion that you can't redirect packets to localhost because
the kernel refuses to route a packet from an external ip to a destination on the
127.x.x.x network. I haven't yet verified that in the code but it sounds
reasonable enough.

I played with something similar for a while and was also unsuccessful. Needless
to say, if you find a way to do this, short of hacking the routing code, please
post back. Seems to be a fairly common wish.

The usual way to forward the port to localhost is to use ssh. There are many
references to that on the net.


More information about the netfilter mailing list