iptables redirect with a caveat

Amit Nepal amit at amitnepal.com
Sun Sep 17 21:46:05 MST 2017 

I have not tested  but you can probably use mark to accomplish this. 
Mark any request coming directly to port 7778,  drop anything with mark 
set and then redirect request on port 80 to 7778.

iptables -t mangle -A PREROUTING -p tcp --dport 7778 -j MARK --set-mark 1
iptables -A INPUT -m mark --mark 1 -j DROP
iptables -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7778

Thank You

Amit K Nepal
(CISM, CISSP, RHCE, CCENT, C|EH, C|HFI, GIAC ISO 27000 Specialist)

On 9/17/2017 8:58 PM, Daniel Stasinski wrote:
> Right after I posted, I figured out a solution.
>
> I just added redirect from 7778 to 80.  Since 80 is not active, it 
> drops it
>
> A PREROUTING -p tcp -m tcp --dport 7778-j REDIRECT --to-ports 80
>
> *Daniel P. Stasinski*
> daniel at GenericInbox.com <mailto:daniel at GenericInbox.com>
> I 💛✞
>
> On Sun, Sep 17, 2017 at 8:24 PM, Daniel Stasinski 
> <daniel at genericinbox.com <mailto:daniel at genericinbox.com>> wrote:
>
>
>     On my server, I am redirecting incoming port 80 to port 7778 via
>     iptables, but I'm unsure how to block connects directly to port
>     7778 from the outside.  I've hit a brick wall in my understanding
>     of pre and post routing.
>
>     I could use a little wisdom here.  Thanks. :)
>
>     #/etc/sysconfig/iptables
>     *nat
>     :PREROUTING ACCEPT [15:1051]
>     :POSTROUTING ACCEPT [63:4394]
>     :OUTPUT ACCEPT [63:4394]
>     -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 7778
>     COMMIT
>     *filter
>     :INPUT ACCEPT [0:0]
>     :FORWARD ACCEPT [0:0]
>     :OUTPUT ACCEPT [1661:376223]
>     -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>     -A INPUT -p icmp -j ACCEPT
>     -A INPUT -i lo -j ACCEPT
>     -A INPUT -p tcp -m state --state NEW -m tcp --dport 7778 -j ACCEPT
>     -A INPUT -j REJECT --reject-with icmp-host-prohibited
>     -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>     COMMIT
>
>     *Daniel P. Stasinski*
>     daniel at GenericInbox.com <mailto:daniel at GenericInbox.com>
>     I 💛✞
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20170917/b7f2406c/attachment.html>

More information about the PLUG-discuss mailing list