6

I'd like to do an iptables REDIRECT rule in the NAT PREROUTING chain, to redirect connections to port 80 to go to 8080. But I'd like to only do it for input packets (destined for this machine), not forwarded packets (destined for e.g. the Internet).

Is there a way, in rules in the PREROUTING chain, to distinguish packets that are destined for this machine, versus packets that are being forwarded, and handle them differently?

It would be ideal to do this in a way that doesn't require specific interfaces or IP addresses to be enumerated in the rules, because this is less flexible (e.g. if interfaces or IP addresses change, it's more complicated to then need to update iptables rules).

I would also be interested in an equivalent functionality using nftables.

Craig McQueen
  • 929

2 Answers2

4

I think you're doomed to having to manually list all your "local" IP addresses. Based on my reading of this netfilter packet flow diagram, there's no differentiation of input/forward packets until after all the PREROUTING chains -- which makes sense, because the chain is, after all, called PREROUTING...

womble
  • 98,245
4

I just came across the addrtype module, which seems to be able to differentiate incoming packets depending on whether the destination address is a local address or not. So this can be used to distinguish between input and forward packets.

E.g. something like:

iptables -A PREROUTING -t nat -p tcp --dport 80 -m addrtype --dst-type LOCAL -j REDIRECT --to-port 8080

For nftables, the equivalent appears to be the fib module. But I haven't tested this yet.

nft add rule ip nat prerouting tcp dport 80 fib daddr . iif type local redirect to :8080
Craig McQueen
  • 929