iptables confusion.
Joshua Judson Rosen
rozzin at hackerposse.com
Mon Feb 15 17:40:10 EST 2016
On 02/15/2016 04:37 PM, Ken D'Ambrosio wrote:
> Every time I think I'm getting to the point where I might understand IP
> Tables, I do something that proves that, no, I really don't. Today's
> confusion: I want to set up a virtual NIC to do port forwarding. But
> first, I wanted to get the port forward part of the equation straight.
> So I wound up executing these commands:
>
> iptables -t nat -A PREROUTING -p tcp --dport 8774 -j DNAT --to
> 172.23.242.39:8774
> iptables -A FORWARD -d 172.23.242.39 -p tcp --dport 8774 -j ACCEPT
> iptables -t nat -A POSTROUTING -j MASQUERADE
>
> Worked great. I then did an "ifconfig eth0:1 172.23.9.139 netmask
> 255.255.255.0" to see if I could telnet to port 8774 on it. I could.
> So then I did "iptables --flush", and it did. When I type "iptables
> --list", I now get:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Terrific. Pretty much what I expected. Telnetting to port 8774 on eth0
> fails, as expected... but telnetting to port 8774 on the virtual works
> great. I even fired up Firefox to make sure, and youbetchya, it's
> interacting with the remote server.
Because you only flushed the "filter" table, which is the default table
if you don't specify another one (e.g.: "-t nat", like you did when
adding the rules to that "nat" table).
"iptables -t nat --list" should show you that your DNAT and MASQUERADE
rules are still in there.
If you want to flush the "nat" table, you need to do:
iptables -t nat --flush
(the man page says that "iptables --flush" flushes the chains in "the table")
--
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."
More information about the gnhlug-discuss
mailing list