[Bug 429] -j REDIRECT does not appear to work correctly

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Mon Feb 27 01:04:31 CET 2006


James.Schatzman at futurelabusa.com changed:

           What    |Removed                     |Added
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |

------- Additional Comments From James.Schatzman at futurelabusa.com  2006-02-27 01:04 MET -------
Thanks for the info. Sorry to be persistent. I found a solution and the only
reason I have been documenting this issue is to help the community and future
iptables users.

I still feel that there is a problem, if nothing else, with the man page,
various on-line help sources, and several books on the topic of iptables and

Here is what the man page for iptables v1.3.0 states for -REDIRECT:

"It alters the destination IP address to send the packet to the machine
       itself (locally-generated packets are mapped to the address)"

Here is what the iptables tutorial says
"The REDIRECT target is used to redirect packets and streams to the machine
itself....Locally generated packets are mapped to the address. "

This does not say anything about which of the possibly many IP addresses it
uses. My assumption was that if the target IP address is one of the host's IP
addresses, it would be unchanged. The respondent says it uses the "Primary IP
Address".  Some experimentation indicates that this is indeed what is happening.

Shouldn't the documentation be clearer on that point?  It is apparently
sufficiently unclear that several book authors seem to be confused on that point
- Suehrng & Ziegler, Linux Firewalls - is as vague as the man page; same for
Shinn & Shinn, Troubleshooting Linux Firewalls.

Also, I would like to point out that there have been numerous queries on the
Internet - people asking why REDIRECT doesn't work the way they expected. I
tried that first - there were no answers that worked.

Numerous sources suggest using REDIRECT to redirect ports, such as 80, to
proxies or unprivileged ports (such as 8080). For example, manufacturers of
various web servers make this recommendation. If the authors of these notes are
aware that this works only when the real service is listening on the server's
PRIMARY IP, they don't spell it out.

I REALLY DO appreciate the help. Just would like to help the next person by
getting the document to spell out a bit more clearly what REDIRECT does.

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the netfilter-buglog mailing list