[SOLVED] Iptables redirect from one local port to another

dr_doom · 02-27-2011, 03:50 AM

Hello,

I need some help with creating my iptables rules.
I would like to redirect all requests coming to port 80 to port 8080.
I've tried with DNAT and REDIRECT and they both work fine, but also I would like to block port 8080 to be not accessible from outside the box.

Here is an example of what I have done:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 80 --to-ports 8080

If I set the default policy for INPUT and OUTPUT to DROP, the redirection does not work.
I've tried also to add the following two:

iptables -A INPUT -i eth0 -p tcp -s 192.168.1.5 -d 192.168.1.5 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -s 192.168.1.5 -d 192.168.1.5 -j ACCEPT

The IP 192.168.1.5 is where is bound the service listening to port 8080.

If I leave the default policies to ACCEPT everyone is able to access the service via both ports 80 and 8080, but I would like to prevent the access to port 8080.

Thanks in advance.

nimnull22 · 02-28-2011, 06:42 AM

iptables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 80 --to-ports 8080

This rule just changes destination port, from 80 to 8080 and doesn't the destination IP.
So the packet goes into INPUT or FORWARD chain, but they have their own rules DROP or ACCEPT.
I suggest to change default rules to ACCEPT and filter out unwanted packets in the INPUT or FORWARD chain.

Thanks

win32sux · 02-28-2011, 10:19 PM

You could try the approach I outlined over here. Example:

Code:

iptables -t mangle -A PREROUTING -i eth0 -p TCP --dport 8080 -j MARK --set-mark 666
iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 80 -j REDIRECT --to-port 8080
iptables -I INPUT -m mark --mark 666 -j DROP
iptables -A INPUT -i eth0 -p TCP --dport 8080 -j ACCEPT