iptables confusion.

[Joshua Judson Rosen]

On 02/15/2016 04:37 PM, Ken D'Ambrosio wrote:
> Every time I think I'm getting to the point where I might understand IP 
> Tables, I do something that proves that, no, I really don't.  Today's 
> confusion:  I want to set up a virtual NIC to do port forwarding.  But 
> first, I wanted to get the port forward part of the equation straight.  
> So I wound up executing these commands:
> 
> iptables -t nat -A PREROUTING -p tcp --dport 8774 -j DNAT --to 
> 172.23.242.39:8774
> iptables -A FORWARD -d 172.23.242.39 -p tcp --dport 8774 -j ACCEPT
> iptables -t nat -A POSTROUTING -j MASQUERADE
> 
> Worked great.  I then did an "ifconfig eth0:1 172.23.9.139 netmask 
> 255.255.255.0" to see if I could telnet to port 8774 on it.  I could.  
> So then I did "iptables --flush", and it did.  When I type "iptables 
> --list", I now get:
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Terrific.  Pretty much what I expected.  Telnetting to port 8774 on eth0 
> fails, as expected... but telnetting to port 8774 on the virtual works 
> great.  I even fired up Firefox to make sure, and youbetchya, it's 
> interacting with the remote server.

Because you only flushed the "filter" table, which is the default table
if you don't specify another one (e.g.: "-t nat", like you did when
adding the rules to that "nat" table).

"iptables -t nat --list" should show you that your DNAT and MASQUERADE
rules are still in there.

If you want to flush the "nat" table, you need to do:

	iptables -t nat --flush

(the man page says that "iptables --flush" flushes the chains in "the table")
-- 
"Don't be afraid to ask (λf.((λx.xx) (λr.f(rr))))."