[Firehol-support] Port forwarding using dnat and traffic from localhost

Phil Whineray phil at sanewall.org
Wed Jun 4 07:32:45 BST 2014

Hi Silvio

On Wed, Jun 04, 2014 at 02:18:43AM +0200, Silvio Bierman wrote:
> I use firehol to forward all HTTP(S) traffic from ports 80/443 to
> 8080/8443 on the same machine. I use config lines like
> dnat to xxx.xxx.xxx.xxx:8080 proto tcp dport 80
> dnat to xxx.xxx.xxx.xxx:8443 proto tcp dport 443
> to achieve this where xxx.xxx.xxx.xxx is the IP address of the box
> itself. This means that firehol is running on the same host as the
> webserver.
> Now my problem is that when the webserver does a HTTP request to
> itself (for example by following a URL relative to that of an
> incoming request) the request targets port 80 but does not get
> forwarded to 8080 because it comes from the local machine. This
> forces me to do extra URL manipulation to explicitly target port
> 8080.

> How can I get around this and have all traffic forwarded?

The firehol dnat helper won't do this. It doesn't set up rules on the
OUTPUT chain in the NAT table, which is what I think you need here, but
is not something a firewall would normally be called on to do.

You can use the iptables helper to add extra rules after the dnat helpers
to do what you want. This does what you describe, where $ip should be
replaced with xxx.xxx.xxx.xxx from your example:

 # Redirect $ip:80 to port 8080, when generated on local machine
 iptables -t nat -A OUTPUT -d $ip -p tcp --dport 80 -j REDIRECT --to-port 8080

Add this too, if you want http://localhost:80/ to also redirect:

 # Redirect port 80 to port 8080, when using loopback interface
 iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080

Hope that helps,

More information about the Firehol-support mailing list