You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination :3128
--to-destination :port actually rewrites the port on the packet but leaves the destination address intact. The only way around this is to explicitly set the destination address (to-addr) in the rich rule but this is not as flexible as the REDIRECT target since if the machine's IP change the rule has to be updated whereas REDIRECT does that automatically.
Since the destination IP is an optional argument it would make sense for this forward-port to support the REDIRECT target as least in the rich rule format. How about an extended syntax
There is an interesting case when using --add-forward-port or the forward-port rich rule
Assume an existing REDIRECT iptables rule
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
One may think that the equivalent in firewalld would be
rule family=ipv4 forward-port port=80 protocol=tcp to-port=3128
This is not quite right as it would generate
-A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination :3128
--to-destination :port actually rewrites the port on the packet but leaves the destination address intact. The only way around this is to explicitly set the destination address (to-addr) in the rich rule but this is not as flexible as the REDIRECT target since if the machine's IP change the rule has to be updated whereas REDIRECT does that automatically.
Since the destination IP is an optional argument it would make sense for this forward-port to support the REDIRECT target as least in the rich rule format. How about an extended syntax
forward-port port="" protocol="tcp|udp" to-port="" to-addr="
redirect"so a REDIRECT target can be generate instead?
Finally, it would be nice to add support for REDIRECT (and DNAT) in the OUTPUT chain as well.
The text was updated successfully, but these errors were encountered: