Wednesday, October 20, 2010

Help getting iptables REDIRECT to work

Although no strictly a 'firewall' question, I expect the experts on
iptables are on this list.

I have Debian lenny.
$ uname -r
2.6.32.21-m64-mb1

I'm trying to get the following iptables command to work (response shown
on lines 2 & 3):

$ sudo iptables -v -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT
--to-port 8080
REDIRECT tcp opt -- in * out * 0.0.0.0/0 -> 0.0.0.0/0 tcp dpt:80 redir
ports 8080
iptables: No chain/target/match by that name

The system config checks I have run are:
$ cat /proc/sys/net/ipv4/ip_forward
1


$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

$ /sbin/lsmod
Module Size Used by
xt_tcpudp 2431 0
iptable_nat 4110 0
nf_nat 13465 1 iptable_nat
iptable_filter 1410 0
ip_tables 14618 2 iptable_nat,iptable_filter
x_tables 13916 3 xt_tcpudp,iptable_nat,ip_tables
ipv6 254105 16
nls_iso8859_15 4734 1
nls_cp850 4985 1


It looks as though I am missing a kernel module - one that would supply
the PREROUTING and REDIRECT chain targets. Is that what's wrong?

On a Ubuntu system the above command works OK.

On executing /sbin/lsmod on the Ubuntu system a module 'ipt_REDIRECT' is
listed - which would seem to be what I need on the Debian system.

I've looked in /lib/modules/2.6.32.21-m64-mb1/kernel/net/ ipv4/netfilter

It contains the following filters:
arptable_filter.ko
arpt_mangle.ko
iptable_filter.ko
iptable_nat.ko
ip_tables.ko
ipt_ah.ko
ipt_ECN.ko
ipt_MASQUERADE.ko
ipt_ULOG.ko
nf_nat.ko
arp_tables.ko
ip_queue.ko
iptable_mangle.ko
iptable_raw.ko
ipt_addrtype.ko
ipt_ecn.ko
ipt_LOG.ko
ipt_REJECT.ko
nf_nat_ftp.ko
nf_nat_sip.ko

Looks like there are several there related to ip tables, but not
(obviously) the one I need!

Can anyone tell me how to get REDIRECT working, or suggest further
diagnostics?


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1287621193.1312.463.camel@nangpa

at

No comments:

Post a Comment