Port translation

IKnowNot at comcast.net IKnowNot at comcast.net
Sun Jul 13 20:29:46 UTC 2008


Uno Engborg wrote:
> stan skrev:
>> Uno Engborg wrote:
>>> stan skrev:
>>>> Uno Engborg wrote:
>>>>> Rüdiger Pretzlaff skrev:
>>>>>>
>>>>>> Am 12.07.2008 um 12:21 schrieb Uno Engborg:
>>>>>>
>>>>>>> For various reasons I would like to  forward trafic to port 390 
>>>>>>> to port 5432 on the same host. One would think this would be a
>>>>>>> simple task for iptables but I have now tinkered with this for 
>>>>>>> two days, and I still fail to get it right.
> ................


> Port redirection now works locally, but not on the eth0 interface.
> 
> 
> Regards
> Uno Engborg
> 

since you didn't use --line-numbers, it is harder to look at, but after 
sorting:

packets coming into eth0 that you are redirecting are being nat-ed in 
the PREROUTING chain, then are being sent to the RH-Firewall-1-INPUT 
chain via the INPUT chain.  They are being dropped there.




iptables -I RH-Firewall-1-INPUT -m state -p tcp -i eth0 --dport 5432 
--state NEW -j ACCEPT

iptables -I RH-Firewall-1-INPUT -m state -p tcp -i eth0 --dport 5432 
--state NEW -j LOG --log-level info --log-prefix "new in eth0 5432: "



the above commands place rules at the head of the RH-Firewall-1-INPUT 
chain to first log then accept any tcp packets destined for port 5432 
that are new.  You already have one that accepts related and established 
tcp packets so others should be allowed through.  And logging only the 
new packets will keep your logs down but allow you to know who attempted 
to connect.

It is important to run the commands in the order shown if you use a 
shell.  That will first place the ACCEPT command at the top of the 
chain, then place the logging above that.  You need to log it first 
before you accept or it won't hit the log!  If you insert them another 
way just make sure the logging line is above the ACCEPT line when you 
list your rules.  ( You don't really need the log rule, but it helps, 
especially when testing rules. )


Hope this helps!

IKnowNot




More information about the fedora-list mailing list