Redirect incoming https to local ip with iptables
Just filter based on the destination address:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d $PUBLIC_IP -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443
If the public IP is dynamic, you will need to add hooks to the DHCP client script to update this rule when your IP address changes. You may also use IP sets to change the IP address to check without changing your rule.
Another less perfect solution is to use the addrtype
module. This modules makes a check on the routing table to determine what type of routing entry the address has. the LOCAL type can be used to check if this IP is the host's.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -m addrtype --dst-type LOCAL -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443
Note that this solution also redirect connections to 192.168.1.1
and 127.0.0.1
or any IP address that your host have. You can exclude destination addresses by adding a simple ! -d 192.168.1.1
match to the rule.
Related videos on Youtube
AnttiQ
Updated on September 18, 2022Comments
-
AnttiQ over 1 year
I have a router with 1 network interface (eth0, public ip) and an alias for eth0:0, local ip 192.168.1.1.
I want to redirect all incoming https (443) traffic to another server. I tried it with
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -j DNAT --to-destination 192.168.1.2:443
and it works. All traffic coming to my public ip's ssl port is redirected to 192.168.1.2.But the main problem is this; now all https traffic from my local lan to the internet is also redirected to that local ip, eg. https://facebook.com and 192.168.1.2 answers. How should I fix my configuration in order to make it work?
-
AnttiQ almost 11 yearsThnx for your quick reply. How can I use -o with PREROUTING? At least iptables 1.4.12 does not accept it? But everything now works with --dst-type LOCAL :)
-
BatchyX almost 11 years@AnttiQ: Sorry i mean
-d
, not-o
. Fixed. -
Craig McQueen over 7 yearsWhy is using
addrtype
module less perfect? This option sounds more reliable to me, because it doesn't need a separately defined$PUBLIC_IP
which might be wrong (especially when using DHCP to get IP address).