I am currently trying to forward port 80 to port 4999 so that 80 is exposed but 4999 is not. After looking into this, I found that the tabels below do what I want successfully, but I do not understand how they work. Could anyone describe to me what is going on here and tell me if this causes any security problems?
*nat :PREROUTING ACCEPT [325:20003] :INPUT ACCEPT [404:24676] :OUTPUT ACCEPT [360:25177] :POSTROUTING ACCEPT [360:25177] -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 4999 -A PREROUTING -p tcp -m tcp --dport 4999 -j REDIRECT --to-ports 80 COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [8142:1141863] -A INPUT -p tcp -m tcp --dport 4999 -j ACCEPT -A INPUT -j DROP COMMIT
Answer
The first prerouting rule change incoming port 80 trafic to port 4999 and the firs input rule accept it.
The second prerouting rule change the port 4999 traffic to port 80 and the second input rule drop it.
I think change the second prerouting rule to -j DROP will do the job better.
Or change de default INPUT policy to DROP, and delete the second INPUT rule.
Like Zoredache told, it has no much sense.
Attribution
Source : Link , Question Author : quinton , Answer Author : Brigo
