iptables question (was Re: Squid question)
Tim Wunder
tim
Mon May 17 11:57:17 PDT 2004
On Wednesday 24 December 2003 9:57 am, someone claiming to be David A. Bandel
wrote:
> On Wed, 24 Dec 2003 09:40:53 -0500
>
> Tim Wunder <tim at thewunders.org> wrote:
> > On Wednesday 24 December 2003 12:24 am, someone claiming to be M.W.
> >
> > Chang wrote:
> > > to redirect localhost port 80, try this:
> > >
> > > iptables -t nat -A PREROUTING -i lo -p tcp --dport 80 -j REDIRECT
> > > --to-port 3128
>
> think. is the request coming _in_ or going _out_? It's going _out_ to
> someplace else. Its destination (incoming to _them_) is IP:port,
> xxx.xxx.xxx.xxx:80. so you're _half_ right (--dport 80). try -o lo for
> _output_ device.
>
Well, FWIW, that WAS something I tried back when I was still trying to do this
with eth0. Unfortunately:
# iptables -t nat -A PREROUTING -o lo -p tcp --dport 80 -j REDIRECT --to-port
3128
iptables v1.2.8: Can't use -o with PREROUTING
Try `iptables -h' or 'iptables --help' for more information.
So what gets used? OUTPUT instead of PREROUTING? It *is* OUTPUT after all,
right?
This seems right, at least the way I'm reading:
http://www.thewunders.org/SxS/security/iptables/iptables-tutorial.html#TRAVERSINGOFTABLES
(my mirror of the sxs site), "OUTPUT This chain can be used to NAT outgoing
packets from the firewall itself."
But when I try
# iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 3128
even though I don't get the error, the result doesn't do what I want. The
effect seems no different than using -i lo and PREROUTING.
OK, what am I missing? Perhaps if I specify the source host of the packet to
the OUTPUT chain, like this:
# iptables -t nat -A OUTPUT -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT
--to-port 3128
Doesn't this say:
Add to the OUTPUT chain a nat rule for tcp packets originating from localhost
and destined for port 80 that redirects them to port 3128?
Obviously not, cuz that doesn't work either. I shall continue to read the
tutorial, but I'm obviously incapable of grasping this, despite your best
efforts to get me to "think."
Regards,
Tim
--
Fedora Core 1, Kernel 2.4.22-1.2129.nptl, KDE 3.1.4, Xfree86 4.3.0
12:00:00 up 15 days, 14:49, 1 user, load average: 0.66, 0.16, 0.08
It's what you learn after you know it all that counts
More information about the Linux-users
mailing list