Iptables: How to redirect all 8443 incoming and outgoing to 443

iptablesport-forwarding

So I understand that you need to allow the connection first (right?)

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Then you need to set up the redirect (right?)

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

Then also allow the outgoing response from 8443 go to 443 (right?)

iptables -t nat -I OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8443

My scenario: I have an application server locally using 8443 but I want all traffic to connect using standard ports. I'm having problems with services that use my secure http port

ie. https://mywebsite.com   **NOT**  https://mywebsite.com/8443

Problem: I'm not sure my rules to iptalbes are correct

Best Answer

mangle - mark all incoming packets with dport 443 (second iptables chain)

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j MARK --set-xmark 0x64/0xffffffff

nat - change destination port for market packets (third iptables chain)

-A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -m mark --mark 0x64 -j DNAT --to-destination :8443

filter - accept marked packet with new dport (fifth iptables chain)

-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8443 -m mark --mark 0x64 -j ACCEPT

on older systems use -m state --state instead of -m conntrack --ctstate:

-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8443 -m mark --mark 0x64 -j ACCEPT

This is most efficient way, this is how RH utilities do it by default for local redirects.

enter image description here

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

This rule worked ion my installation:

iptables -I FORWARD 1 -d [client-ip] -p tcp -m tcp --dport 53 -j DROP
iptables -I FORWARD 1 -d [client-ip] -p udp -m udp --dport 53 -j DROP

Notice that netfilter reads rules top-to-bottom and if you have a rule permitting all traffic to this client above (iptables -A adds rule to the end of the table), this new rule won't be reached and won't have effect.

I didn't understand why you use "state" module if you a listing all valid states? It just uses CPU time and has no effect IMHO.

Next, I'm not sure, what is the goal of blocking traffic, going from port 25. If you client sends ab e-mail, he connects to remote server's port 25 but uses one of local ports (32k..64k by default) on his side. Couldn't you explain, what do you want to get as a result?

Linux Port Forwarding to different IPs

Unless I am misunderstanding, why not simply map different target ports on the Linux Server to port 80 on the backend devices. For example:

Netbook --> 192.168.1.1:8080 (Linux Server) --> 192.168.0.2:80 (NAS)
Netbook --> 192.168.1.1:8081 (Linux Server) --> 192.168.0.1:80 (Router)

You already have the commands you need, you just need to set --dport to a different target port on the Linux Server, while specifying port 80 in --to-destination.

Best Answer

Related Solutions

Iptables rule to block incoming/outgoing traffic to a Xen container

Linux Port Forwarding to different IPs

Related Topic