I am on Ubuntu 12.04.2 LTS
cat /proc/sys/net/ipv4/ip_forward
0
I reset iptables with the following commands:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
I want to redirect traffic destined for port 80 to 1337. These commands accomplish that:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 1337
iptables -t nat -A OUTPUT -o lo -p tcp --dport 80 -j REDIRECT --to-ports 1337
I continue with the following commands in order to block all incoming traffic except SSH and I expect the port redirection still works:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j DROP
But the port redirection no longer works.
Adding iptables -A INPUT -p tcp --dport 80 -j ACCEPT
before iptables -A input -j DROP
doesn't make it work either.
What else do I need to add or change?
To prevent direct traffic on 1337 you could do:
iptables -A INPUT -p tcp -s 127.0.0.1/8 --dport 1337 -j ACCEPT
so only traffic from the host itself (which is the redirect) will be accepted.