[SOLVED] iptables command won't forward a port

[johnklug]

I am trying to redirect TCP 443 to 8443.

strace -f -o /tmp/trace.txt iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443
iptables: No chain/target/match by that name.

22056 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 4
22056 fcntl(4, F_SETFD, FD_CLOEXEC) = 0
22056 getsockopt(4, SOL_IP, 0x40 /* IP_??? */, "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0
22056 getsockopt(4, SOL_IP, 0x41 /* IP_??? */, "nat\0H\177\0\0X\\\257FH\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [824]) = 0
22056 setsockopt(4, SOL_IP, 0x40 /* IP_??? */, "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1096) = -1 ENOENT (No such file or directory)
22056 close(4) = 0
22056 write(2, "iptables: No chain/target/match "..., 46) = 46

So is there something I have to do to create the NAT table?

# zgrep -E '^[^#]' config-3.17.7-gentoo | grep NF_CONN
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CONNTRACK_IPV4=y
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_NF_CONNTRACK_IPV6=y

[Syl20]

Did you enable the REDIRECT target when compiling your kernel ? Is the module (if compiled it as a module) loaded ?
http://cateee.net/lkddb/web-lkddb/IP_NF_TARGET_REDIRECT.html

[johnklug]

I added the following two kernel configuration tags, and port redirection worked:

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_REDIRECT=m

Not sure if both are needed.


The doc from http://cateee.net/lkddb/web-lkddb/IP_NF_TARGET_REDIRECT.html says

This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_REDIRECT.

It may be that only CONFIG_NETFILTER_XT_TARGET_REDIRECT=m is needed.