On Wednesday 04 January 2006 10:59, Dominik Klein wrote: > my linux router is supposed to forward https requests to the http port > on my webserver. > Is this possible with iptables? Certainly. > I thought that these lines should do (there is more in my iptables > script, but I think this is the interesting part): > --snip-- > $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d $routerip --dport 443 > -j DNAT --to-destination $webserverip:80 This is OK > $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d $webserverip --dport 80 > -j ACCEPT This is also OK. > $IPTABLES -A INPUT -i eth0 -p tcp -d $routerip --dport 443 -j ACCEPT This doesn't matter, because no packet to port 443 will ever come to your router's INPUT table when the DNAT above is set up. > But apparently, clients still get forwarded to https, and as there is no > https, they run into a timeout. The only thing I think could be wrong is the order of rules in a PREROUTING or FORWARD chain. If you match packets by another, earlier rule and decide their fate there, they will never reach your DNAT or FORWARD rules. Try iptables -L -vnx -t nat iptables -L -vnx to see how many packets match your DNAT and FORWARD rules when you try to telnet to router's port 443 from the eth0 interface. If there are none, you are likely matching them before... -- Jure Koren, n.i.
Attachment:
pgp4kwUJy5Lc4.pgp
Description: PGP signature