I'm using CentOS 6.5 and I added the following commands to my iptables to forward all incoming traffic on port 8088 to 4569:
iptables -A PREROUTING -t nat -p udp --dport 8088 -i eth0 -j DNAT --to-destination 127.0.0.1:4569
iptables -I FORWARD 1 -d 127.0.0.1 -p udp --dport 4569 -j ACCEPT
iptables --list
shows the following output:
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere localhost.localdomain udp dpt:iax
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But when I take a packet trace on udp port 4569 I don't see any packets on that port. Then I added this:
iptables -A PREROUTING -t nat -p udp --dport 8088 -i eth0 -j REDIRECT --to-ports 4569
And my iptable looks like this:
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8088 to:127.0.0.1:4569
2 REDIRECT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:8088 redir ports 4569
But still no luck. What am I doing wrong?
Best Answer
To redirect packets to the loopback interface you need to use the
REDIRECT
target.Otherwise, you will change the destination address before the routing decision is taken to
127.0.0.1
. This means that it will be considered a martian packet by the kernel and dropped by your reverse path filtering policy.The two kernel parameters responsible for this behaviour are :
net.ipv4.conf.eth0.route_localnet
net.ipv4.conf.eth0.rp_filter
As you totally want to keep this legitimate behaviour, the
REDIRECT
chain must be used to bypass this condition for a certain rule.