Here's an important Linux kernel configuration tip: always compile NAT for your kernels, whether built in or as modules.

I often build my own kernels on machines (usually so I can use stock kernel.org kernels). Some of these machines are slow, and in general I like to leave out options I don't need. In the past, I have often looked at NAT and decided that I clearly wasn't going to need it. (After all, none of these machines were going ever to be firewalls.)

However, as I found out the hard way, there is another good reason to include NAT: local port redirection.

Local port redirection is a neat feature where you can map one server port to another. For example, if the idea of running Apache as root gives you the hives you can set it up to run as a normal user on port 8080, and transparently redirect port 80 to port 8080.

It turns out that transparent port redirection is useful for all sorts of tricks. And it's part of NAT; if you don't configure in NAT, you don't have it available.

So how do you do local port redirection once you have NAT? The full answer is in section 6 of the Linux NAT HOWTO, but the terse version is:

# iptables -t nat -A PREROUTING \
    -p tcp --dport 80 \
    -j REDIRECT --to-port 8080

(You may want to specify '-i eth0' or the like too. Or other conditions, to do redirection only for certain people. Want known spammers to see an entirely different SMTP server? You can do that.)