top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Redirect traffic to loopback using IPTable?

+2 votes
289 views

I have an application that is listening only on the loopback by default, on port 8100.
Is there any way i can use iptables to make this accessible from outside?

posted Dec 3, 2015 by Kiran

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
0 votes

Consider the following example: you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all traffic that is forwarded by the router between the two networks basically is to be ignored by iptables (i.e., the router does not play firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on the router lists all the connections, not only those to and from the router, but also all connections between the two. Certainly, it takes some CPU cycles for the router to keep track of all the connections. Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other netfilter stuff when it comes to forwarded packets?

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

+1 vote

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:

100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding to different port ranges or if you have to use individual rules.

+1 vote

I have a situation where I want to round-robin new http connections to different ports, but i'm finding that the following is resulting in a significant amount "falling through" to my catch-all on port 9000, rather than being evenly distributed across 8080-8084.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 0 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 1 -j REDIRECT --to-port 8081
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 2 -j REDIRECT --to-port 8082
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 3 -j REDIRECT --to-port 8083
iptables -t nat -A PREROUTING -p tcp --dport 80 -m statistic --mode nth --every 5 --packet 4 -j REDIRECT --to-port 8084
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000

it's about 80-20, where 80% are evenly distributed amongst 8080-8084 and 20% are winding up on 9000.

I'd prefer 100% evenly distributed on 8080-8084 and none on 9000. I put 9000 there as a catch-all "hack" because i found connections were failing to be caught by the 8080-8084 range.

...