From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.54) id 1F038u-0001Jj-5H for garchives@archives.gentoo.org; Fri, 20 Jan 2006 20:45:56 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id k0KKhxh0005001; Fri, 20 Jan 2006 20:43:59 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [134.68.220.30]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id k0KKg05I011251 for ; Fri, 20 Jan 2006 20:42:01 GMT Received: from main.gmane.org ([80.91.229.2] helo=ciao.gmane.org) by smtp.gentoo.org with esmtp (Exim 4.54) id 1F0356-0005p2-D4 for gentoo-user@lists.gentoo.org; Fri, 20 Jan 2006 20:42:00 +0000 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1F034i-0000zW-UA for gentoo-user@gentoo.org; Fri, 20 Jan 2006 21:41:36 +0100 Received: from www.buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 20 Jan 2006 21:41:36 +0100 Received: from wireless by www.buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 20 Jan 2006 21:41:36 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: iptables question Date: Fri, 20 Jan 2006 20:41:06 +0000 (UTC) Message-ID: References: <200601201249.25509.dmitry@athabascau.ca> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051215) Sender: news X-Archives-Salt: 29e9fe45-9939-445c-9e3d-513317cbd4f3 X-Archives-Hash: 441c5944aac77abc096d7646ddaa32d7 Dmitry S. Makovey athabascau.ca> writes: > somewhat offtopic, but since I need any help I can get: > how do I redirect trafic from outward facing interface > (192.168.1.114:80) to loopback device (127.0.0.1:80) ? > my most obvious trick: > iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \ > -j DNAT --to 127.0.0.1:80 > and > echo 1 > /proc/sys/net/ipv4/ip_forward > didn't help. Machine which is opening connection is hanging there > indefinitely... > what did I miss? Well, let me start off by saying that I'm still learning the details of iptables..... An excellent book has been recommended and I can confirm it is wonderful: "Linux Firewalls Third Edition" 2005. by Steve Suehring and Robert L. Ziegler. Novell press. There are many examples covering forwarding, port redirection, dmz's and proxies. It's hard to tell exactly what you are doing, or what you want to do. >>From the book: Enabling the loopback Interface page 111 " Local services rely on the loop back network interface. After the system boots, the systems's default policy is to accept all packets. Flushing any pre existing chains has no effect. However, if the firewall is being reinitialized and had previously used a deny-by-default policy, the drop policy would still be in effect. Without any acceptance firewall rules, the loopback interface would still be inaccessible. Because the loopback interface is a local, internal interface, the firewall can allow loopback traffic immediately: #for unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT " Granted this is related to an example in the book, but hopefully it helps. If you get frustrated, send me private email, maybe I can help. I will try. Some folks on the list do not believe that direct control of iptables is wise. I desent. Knowledge of iptables is of extreme value, but difficult to master. I'd like to see many example of iptable for 2.6 kernels published. Updated material on iptables + 2.6 kernels, is scarcely available on the net. hth, James -- gentoo-user@gentoo.org mailing list