I have: Workstation with OpenSuse 11.4 x64, single NetworkCard.
Task. Redirects all local outgoing connection to ip x.x.x.x:80 to localhost:5222.
Tried this command:
iptables -t nat -A OUTPUT -p tcp -d x.x.x.x --dport 80 -j REDIRECT --to-ports 5222
After adding this rule I can’t connect x.x.x.x:80 anymore, connection hangs.
There are no more rules in a ‘nat’ table.
Also, I’ve tried to use DNAT command. Effect was the same.
How to make it works?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Having a LAN trace or /var/log/firewall output may help but where in your
rule did you specify the destination host? I see the port, but will that
just send to 5222 on the x.x.x.x machine rather than localhost?
Good luck.
On 04/05/2011 12:36 AM, a kireev wrote:
>
> I have: Workstation with OpenSuse 11.4 x64, single NetworkCard.
> Task. Redirects all local outgoing connection to ip x.x.x.x:80 to
> localhost:5222.
>
> Tried this command:
> iptables -t nat -A OUTPUT -p tcp -d x.x.x.x --dport 80 -j REDIRECT
> --to-ports 5222
> After adding this rule I can’t connect x.x.x.x:80 anymore, connection
> hangs.
> There are no more rules in a ‘nat’ table.
>
> Also, I’ve tried to use DNAT command. Effect was the same.
>
> How to make it works?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNmyxoAAoJEF+XTK08PnB5EAQP/iQzY31xT/aYvNTbDB8xTing
/Cl+re8P5Z8X1LqxtKXeW0j51WaPp14fnhefMKOYqaGJ7MuLDdiJnxPKTxdnhJ5K
J8rha2UQDRqNL8aMbIdVbHMfsxxR7D+++yq8iZLO95VyY99XGn4xrskqHsed27wB
y9VebbKf9TEbvUuT/8zbA0lYLmCdjgTvy9nrstCrqhw1aw/HY/wPokcuf9/BQXYN
AC3mwz5stmZM1m/Lm/0NUXwNp3kKnoCcLTq8luuTUZuxfVcWLA/2qHAChpKo0I9O
pRvmQQ5vvdQ5Vqe1c8MlsvlFMMiVdOvycKqm44RPy9AoMpUzLCkGjIiSVuarkf0+
vZJ1R+Bt9jVin4/1uYAlG2/iLf3emNf/PGLsrlOD6VkzjkNQPCllJFuwxMrWuYmh
nXnlKakdpNcHt8KGpstOIKxzXnCrc72FkaDy24X47uJwLZ+XIczOQt//4w4MZqe7
1tukqEMsY8vCVx5vN10HkH4OtofNUnwsDJfuCgIBV4cdndS9JD2OenW0q9K0X8g+
2DavicH8qgrNPttJnMQH6Ld8D16CM6JjLECAVDiyUzMJWeIj4GbPxg05mR0JkGSt
XKVQoZFrgwNhglu6EUAbHUq+NaAfusaEJQ1Obcmu4TrLF6Q1q3oe62iv5F9dY9Kh
pldgs12lK8C3w+LDV2yR
=uqbr
-----END PGP SIGNATURE-----
Somewhere I saw that iptables doesn’t work properly on ‘nat’ table for ‘OUTPUT’ packages, is it?
Accoring the manual ‘REDIRECT’ command rewrites package’s target ip to local and port to specified.
I want to reroute outgoing packages from local machine to local port 5222. That command looks ok, but doen’t works.
Your situation is similar to the rules that are used when all outgoing HTTP connections must be transparently directed to a web proxy, except that in your case you only want to enforce it for a single destination. You need a pair of rules, one to do the DNAT and the other to do the REDIRECT. See this HOWTO for squid and modify the two iptables rules there to limit the effect to one destination IP.
Linux: Setup a transparent proxy with Squid in three easy steps