jonathan_hughes wrote regarding 'Re: [SLE] iptables driving me mental - New question' on Thu, Aug 26 at 01:46:
Hi guys,
excuse my noob query - but can you advise me here. For what reason does one want to foreward packets from one port to another port? Also, does the other port have to be on another IP adress or does it not matter? Is all this for IP spoofing or security? Please advise. I have pretty sound IP/Network/Server experience so let it rip if required.
Thanks in advance..
They can be on the same IP. Say, for example, you're finally migrating from Apache 1.3 to 2.0. You set up the 2.0 server to listen on port 8080 and test it. All seems to be going well. To finally test, you set iptables to redirect incoming requests on port 80 to port 8080 on the same IP. If no one calls tech support to complain, then you just change the listen directive, shut down the old one, and apachectl restart. If someone does call to complain, you just drop the iptables rule and say "it's working fine for me. Are you *sure*? Try it again". Your users slowly go insane, that way, and you have a chance to fix the problem without having to keep switching which server version is running. Perhaps you want to migrate some services from one machine to a new one. After you move your CVS files to the new CVS server, you start up the new server and forward port 2401 to the new machine. That way, people can still use "devel" as the hostname, even though the service is actually running on "devel-temp". After you move the development web server and the MySQL server over to "devel-temp", you just change the DNS entry for "devel", wait for DNS to propogate, and take the old "devel" machine offline without anyone ever noticing that they migrated to a new machine. Or you add a LOG rule to "devel" and watch the system logs for a few weeks. Every time something connects to "devel", yo go to that machine and update the configuration to point to "devel-temp". After a few weeks, nothing is connecting through the old hostname and you get rid of the rules, knowing that all hosts are migrated to the new machine now. Etc, etc. :) --Danny, wondering where the "tire discount for SuSE-e members" is located ;)