How does the iptables chain OUTPUT work?
First experience w/iptables, using it to reroute traffic from port 80 to 8080 so I can run an application server with just user permissions. I solved the problem, but I don't know why it works, and I was hoping to be set straight.
My iptables -t nat -L is as follows:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080
Chain OUTPUT (policy ACCEPT)
targetprot opt source destination
REDIRECT tcp -- anywhere localhost tcp dpt:http redir ports 8080
REDIRECT tcp -- anywhere _hostname_ tcp dpt:http redir ports 8080
Two things about the OUTPUT rules I wasn't able to grok:
1)Shouldn't I be redirecting to port 80 instead of 8080? Redirecting to 8080 seems wrong to me, because I was under the impression that clients send requests to 80. Wouldn't they expect responses from such as well?
2) Why the references to localhost and hostname here? If it's OUTPUT, isn't the destination literally anywhere BUT here?
Any answers are appreciated---I'm a total noob and this isn't particularly urgent, but I do want to understand this.
There's two things to know:
First, DNAT (REDIRECT) should automatically "fix" the IP/port information on the return trip using conntrack. Therefore, there's no explicit rule in iptables to map from port 8080 back to 80, it's handled automatically. You can watch conntrack in action under /proc/net/ip_conntrack
or by using the conntrack-tools package.
Second, the OUTPUT chain is for packets originating on that computer, while PREROUTING is for packets arriving on the computer from the outside. There's an explanation here, but the flow diagram given is based around firewall operation so it doesn't show the path a packet goes through when sent to itself. Essentially, those two OUTPUT rules are to make sure that if you connect from the server to itself (destination is either 127.0.0.1 or the public IP), the connection is redirected from 80 to 8080.