The REDIRECT target is used to redirect packets and
streams to the machine itself. This means that we could for example
REDIRECT all packets destined for the
HTTP ports to an HTTP proxy
like squid, on our own host. Locally generated packets are mapped to the
127.0.0.1 address. In other words, this rewrites the destination address to
our
own host for packets that are forwarded, or something alike. The
REDIRECT target is extremely good to use when we want, for
example, transparent proxying, where the LAN hosts do not
know about the proxy at all.
Note that the REDIRECT target is only valid within the
PREROUTING and OUTPUT chains
of the nat table. It is also valid within user-defined chains that are only
called from those chains, and nowhere else. The REDIRECT
target takes only one option, as described below.
Table 11-9. REDIRECT target
| Option | --to-ports |
| Example | iptables -t nat -A PREROUTING -p tcp --dport 80 -j
REDIRECT --to-ports 8080 |
| Explanation | The --to-ports option specifies the
destination port, or port range, to use. Without the
--to-ports option, the destination port is never altered.
This is specified, as above, --to-ports 8080 in case we only
want to specify one port. If we would want to specify a port range, we would do
it like --to-ports 8080-8090, which tells the
REDIRECT target to redirect the packets to the ports 8080
through 8090. Note that this option is only available in rules specifying the
TCP or UDP protocol with the
--protocol matcher, since it wouldn't make any sense
anywhere else. |
 | Works under Linux kernel 2.3, 2.4, 2.5 and 2.6.
|
