How can I forward ports with IPtables? I want to forward 80 to 8080

abefroman · 05-22-2008, 10:28 PM

How can I forward ports with IPtables? I want to forward all requests on 205.xx.xx.xx port 80 to port 8080 on the same IP.

dkm999 · 05-22-2008, 11:28 PM

I have just been answering this question for another guy on this site. I recommend that you search these forums for "port forward". If you still have trouble after trying the things already posted about this FAQ, post again.

nacio · 05-23-2008, 03:40 AM

Maybe dkm999 is talking about this thread:
http://www.linuxquestions.org/questi...arding-643539/

So the solution would be:

Code:

iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to yyy.yyy.yyy.yyy:80

abefroman, don't waste your time trying that. It only works if you have an intermediate node on your network (like the author of that thread), but you said you're trying to do it on the same IP so your case is different. (My case is the same as yours and it didn't work). From the iptables man page:

Quote:

DNAT

This target is only valid in the nat table, in the PREROUTING and OUTPUT chains

So your packets won't be handled by this iptables rule.

However, some magic may be applied to the above solution: make your box behave as both a router and a server:

Code:

iptables -A INPUT -p tcp --dport 80 -j ROUTE --gw 127.0.0.1

WARNING: I haven't tested the ROUTE target. It's usually not supported.

A user space solution is this:

Code:

simpleproxy -d -L 80 -R localhost:8080

But, like me, you may think that having a daemon is less secure than a packet filter.

To anyone else willing to say "search the forum", please take into account that generic search terms like "port forward" will produce THOUSANDS of irrelevant results. I believe abefroman did search before posting, just like I did. Google and the forum search engine haven't helped us more than the man pages.

abefroman · 05-23-2008, 10:05 AM

Quote:

Originally Posted by nacio

Maybe dkm999 is talking about this thread:
http://www.linuxquestions.org/questi...arding-643539/

So the solution would be:

Code:

iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT --to yyy.yyy.yyy.yyy:80

abefroman, don't waste your time trying that. It only works if you have an intermediate node on your network (like the author of that thread), but you said you're trying to do it on the same IP so your case is different. (My case is the same as yours and it didn't work). From the iptables man page:

So your packets won't be handled by this iptables rule.

However, some magic may be applied to the above solution: make your box behave as both a router and a server:

Code:

iptables -A INPUT -p tcp --dport 80 -j ROUTE --gw 127.0.0.1

WARNING: I haven't tested the ROUTE target. It's usually not supported.

A user space solution is this:

Code:

simpleproxy -d -L 80 -R localhost:8080

But, like me, you may think that having a daemon is less secure than a packet filter.

To anyone else willing to say "search the forum", please take into account that generic search terms like "port forward" will produce THOUSANDS of irrelevant results. I believe abefroman did search before posting, just like I did. Google and the forum search engine haven't helped us more than the man pages.

Thanks!

The first command was basically what I needed, I am just forwarding apache requests to the tomcat server:
iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to xxx.xxx.xxx.xxx:8080

I tried it with an apache proxy before but people were exploiting it.