Hi - I have several questions relating to iptables.
First, I am running an SMB/CIFS share on my linux box as a non-privileged/non-root user. Since SMB uses privileged ports (137-139, 445), I've used the following iptables rules to forward traffic to non-privileged ports on which the CIFS servers listens on:
iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138
Every other machine can mount the share, except
for the server that is running the CIFS share! When I mount the share on the same host (with the same command that works for the other machines), I have to specify to connect on port 1445. Why? Shouldn't iptables automatically handle it? What is so different from the traffic originating on the same server, that it ends up skipping the iptables rules?
Here's the mount command I use:
mount.cifs //serverA/cifsshare /mnt/cifshare/ -o username=user,password=pass,port=1445
I've tried adding OUTPUT rules, but that ended up breaking everything. I want to be able to mount it on the same server without specifying the "port=1445" option.
My second question is this: Why does the port forwarding (e.g. from port 445 to 1445) use the nat table? Why can't it use the filter table? The port forwarding isn't doing any NAT'ing, since the source and destination ip stay the same.
EDIT: Just found the answer to this second question: The --to-ports option is only for the REDIRECT target, and that target is only available for the nat table. Therefore I can't use filter to redirect ports.
Thanks for your time and patience, in advance.