[Firehol-support] Port forwarding using dnat and traffic from localhost

Silvio Bierman sbierman at jambo-software.com
Wed Jun 4 07:57:57 BST 2014


On 06/04/2014 08:32 AM, Phil Whineray wrote:
> Hi Silvio
>
> On Wed, Jun 04, 2014 at 02:18:43AM +0200, Silvio Bierman wrote:
>> I use firehol to forward all HTTP(S) traffic from ports 80/443 to
>> 8080/8443 on the same machine. I use config lines like
>>
>> dnat to xxx.xxx.xxx.xxx:8080 proto tcp dport 80
>> dnat to xxx.xxx.xxx.xxx:8443 proto tcp dport 443
>>
>> to achieve this where xxx.xxx.xxx.xxx is the IP address of the box
>> itself. This means that firehol is running on the same host as the
>> webserver.
>>
>> Now my problem is that when the webserver does a HTTP request to
>> itself (for example by following a URL relative to that of an
>> incoming request) the request targets port 80 but does not get
>> forwarded to 8080 because it comes from the local machine. This
>> forces me to do extra URL manipulation to explicitly target port
>> 8080.
>> How can I get around this and have all traffic forwarded?
> The firehol dnat helper won't do this. It doesn't set up rules on the
> OUTPUT chain in the NAT table, which is what I think you need here, but
> is not something a firewall would normally be called on to do.
>
> You can use the iptables helper to add extra rules after the dnat helpers
> to do what you want. This does what you describe, where $ip should be
> replaced with xxx.xxx.xxx.xxx from your example:
>
>   # Redirect $ip:80 to port 8080, when generated on local machine
>   iptables -t nat -A OUTPUT -d $ip -p tcp --dport 80 -j REDIRECT --to-port 8080
>
> Add this too, if you wanthttp://localhost:80/  to also redirect:
>
>   # Redirect port 80 to port 8080, when using loopback interface
>   iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-port 8080
>
> Hope that helps,
> Phil

Thank you Phil,

This works great, thank you.

I have entered these commands manually logged in as root. Is this 
something I could do from the firehol.conf line? If so, would these 
redirects also be removed from iptables if I stop the firehol service?

Thanks again.

Cheers,

Silvio

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.firehol.org/pipermail/firehol-support/attachments/20140604/3d648e34/attachment-0003.html>


More information about the Firehol-support mailing list