A tip: Always include NAT in your Linux kernel configuration

October 31, 2005

Here's an important Linux kernel configuration tip: always compile NAT for your kernels, whether built in or as modules.

I often build my own kernels on machines (usually so I can use stock kernel.org kernels). Some of these machines are slow, and in general I like to leave out options I don't need. In the past, I have often looked at NAT and decided that I clearly wasn't going to need it. (After all, none of these machines were going ever to be firewalls.)

However, as I found out the hard way, there is another good reason to include NAT: local port redirection.

Local port redirection is a neat feature where you can map one server port to another. For example, if the idea of running Apache as root gives you the hives you can set it up to run as a normal user on port 8080, and transparently redirect port 80 to port 8080.

It turns out that transparent port redirection is useful for all sorts of tricks. And it's part of NAT; if you don't configure in NAT, you don't have it available.

So how do you do local port redirection once you have NAT? The full answer is in section 6 of the Linux NAT HOWTO, but the terse version is:

# iptables -t nat -A PREROUTING \
    -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

(You may want to specify '-i eth0' or the like too. Or other conditions, to do redirection only for certain people. Want known spammers to see an entirely different SMTP server? You can do that.)

Written on 31 October 2005.
« Weekly spam summary on October 29th, 2005
Another tip: Label your hard drives »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 31 01:03:23 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.