iptables redirect

[Jack Bowling]

On Sun, Dec 23, 2007 at 02:11:01PM +0100, Leo Cacciari wrote:
> 
> Il giorno ven, 21/12/2007 alle 16.47 +0100, Luca Ferrari ha scritto:
> > Hi,
> > I'd like to open a port on my firewall to redirect to a testing web server 
> > machine, thus I'm doing:
> > 
> > $IPTABLES -t nat -I PREROUTING -i $EXT_INTF -p tcp -d $FIREWALL --dport 
> > 9999 -s 0/0   -j DNAT --to $SONY:80 -v
> > $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 9999   -d $SONY -j ACCEPT
> > $IPTABLES -I FORWARD -p tcp -i $EXT_INTF  --dport 80     -d $SONY -j ACCEPT
> > 
> > $SONY is my destination machine, and I'd like to have the connection opened 
> > from port 9999 on my firewall external interface to sony:80 port, but this is 
> > not working. If I try to connect I get connection refused.
> > Any idea?
> Hi Luca,
>   I had a similar problem first time a did a setup like the one you
> proposed. The problem is that the packets to be forward has to be
> through the INPUT chain before they even reach the FORWARD one. Thus you
> should have something like that
> 
> $IPTABLES -A INPUT -i $EXT_INTF -p tcp -d $FIREWALL --dport 9999 -j
> ACCEPT
> 
> in your firewall script.
> 
> Beware that I've not tried the above right now, so be careful. The best
> thing to do is looking up the documentation keeping in mind my remark at
> the beginning, that is to say that packets should pass the INPUT chain
> before getting to the FORWARD chain or to the nat table.
> 
> -- 
> Leo "TheHobbit" Cacciari

Sorry, Leo, but I believe the INPUT and FORWARD chains are independent. The
decision as to which chain to divert a packet is made by the low level
kernel netfilter code before it even hits the chain. If it is bound for the receiving IP then it goes through the INPUT chain. If it is bound for a remote IP then it hits the FORWARD chain. The following link has a good diagram:

http://home.regit.org/?page_id=10

The "Managing address translation" section has the necessary rules to allow a LAN webserver to be seen by a local machine.

Jack