iptables question

schnappi · 01-15-2018, 12:28 PM

Hello,

Running below (with "x" changed to the wanted ports) works fine.

Code:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport X -j REDIRECT --to-port X

However if put:

Code:

-t nat -A PREROUTING -i eth0 -p tcp --dport X -j REDIRECT --to-port X

into iptables-persistent rules.v4 file (/etc/iptables/rules.v4 on Debian) the command fails with an error pointing to the line where the above code is. How can one make the above command persistent with the iptables-persistent package?

michaelk · 01-15-2018, 02:27 PM

The correct syntax for the posted rule is:

Code:

-A PREROUTING -i eth0 -p tcp -m tcp --dport X -j REDIRECT --to-ports Y

Instead of editing the file directly I would use the iptables-save utility. It parses the tables that creates the iptables-persistent rules.v4 file which is then read by the iptables-restore utility.

schnappi · 01-15-2018, 06:48 PM

Thanks. Still get a "line X failed" message after adding below to rules.v4 (with ports filled in).

Code:

-A PREROUTING -i eth0 -p tcp -m tcp --dport X -j REDIRECT --to-ports Y

Adding current iptables rules is a no go because it will add fail2ban rules into rules.v4 and always forget to stop fail2ban prior to doing. Also it is not relevant anyways because adding current iptables rules will not add prerouting rules (iptables -S will not show prerouting rules either). Only can see prerouting rules with;

Code:

iptables -t nat -L -n -v

Am starting to think that original syntax (as well as @michaelk) suggestion are both correct but that iptables prerouting rules need to be added somewhere besides rules.v4. Thoughts?

On another somewhat separate note will the below limit both UDP and TCP packets (basically if -p tcp or -p UDP is not specified will a rule default to applying to both TCP and UDP)?

Code:

iptables -A OUTPUT -m limit --limit 100/s -j ACCEPT