On Wednesday 04 January 2006 10:59, Dominik Klein wrote:
my linux router is supposed to forward https requests to the http port on my webserver. Is this possible with iptables?
Certainly.
I thought that these lines should do (there is more in my iptables script, but I think this is the interesting part): --snip-- $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d $routerip --dport 443 -j DNAT --to-destination $webserverip:80
This is OK
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d $webserverip --dport 80 -j ACCEPT
This is also OK.
$IPTABLES -A INPUT -i eth0 -p tcp -d $routerip --dport 443 -j ACCEPT
This doesn't matter, because no packet to port 443 will ever come to your router's INPUT table when the DNAT above is set up.
But apparently, clients still get forwarded to https, and as there is no https, they run into a timeout.
The only thing I think could be wrong is the order of rules in a PREROUTING or FORWARD chain. If you match packets by another, earlier rule and decide their fate there, they will never reach your DNAT or FORWARD rules. Try iptables -L -vnx -t nat iptables -L -vnx to see how many packets match your DNAT and FORWARD rules when you try to telnet to router's port 443 from the eth0 interface. If there are none, you are likely matching them before... -- Jure Koren, n.i.