REDIRECT a port in ip6tables

Question

How can I redirect one port to another local port by using ip6tables ? e.g. something like this : ip6tables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 443 --to-ports 8443

score 7 · Answer 1 · answered Jun 18 '12 at 15:13

Well this is an old question, but since I need to do the same thing… Here is what I've found:

TPROXY

This target is only valid in the mangle table, in the PREROUTING chain and user-defined chains which are only called from this chain. It redirects the packet to a local socket without changing the packet header in any way. It can also change the mark value which can then be used in advanced routing rules. It takes three options:
--on-port port
    This specifies a destination port to use. It is a required option, 0 means the new destination port is the same as the original. This is only valid if the rule also specifies -p tcp or -p udp. 
--on-ip address
    This specifies a destination address to use. By default the address is the IP address of the incoming interface. This is only valid if the rule also specifies -p tcp or -p udp. 
--tproxy-mark value[/mask]
    Marks packets with the given value/mask. The fwmark value set here can be used by advanced routing. (Required for transparent proxying to work: otherwise these packets will get forwarded, which is probably not what you want.)

This is valid for ip6tables only, of course. So I guess that this is valid:

ip6tables -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --on-port 8443

However, I didn't try it yet.

You'll find it more difficult than REDIRECT in IPv4… The TPROXY has a special behavior in the mangle table, so you'll need to use marks on it and advanced routing. — Adrien Clerc, Jun 19 '12 at 08:58
which netfilter-Version is needed for "--on-ip" ? ip6tables v1.4.8 (Packaged with Debian Squeeze) doesn't work. Thanks in advance ! — int2000, Dec 16 '12 at 08:46
After a short search in /usr/share/doc/iptables/changelog.Debian.gz on my testing box, it seems that it has been included in 1.4.11.1-1, as mentionned in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=529954 — Adrien Clerc, Dec 16 '12 at 10:36

score 5 · Accepted Answer · edited May 23 '17 at 12:09

5

ip6tables does not support REDIRECT. (Normally people use this in a NAT environment, and NAT is generally not supported with IPv6.)

If all you need to do is bind to the low port as a normal user, why not try the workaround described in this answer? Of course, in the case of Tomcat, it sounds like this would mean giving any Java process that capability.

edited May 23 '17 at 12:09

Community

1
1

answered Feb 06 '11 at 04:04

mpontillo

13,559
7
62
90

10

Apparently `ip6tables` v1.4.18 and Linux kernel v3.8 support `REDIRECT`: https://sector7g.be/posts/ipv6-nat-pre-routing-with-iptables – TRS-80 Mar 10 '14 at 10:48
NAT is not used with iptables, but it's supported. – maxadamo Dec 12 '21 at 23:21

REDIRECT a port in ip6tables

2 Answers2

Linked