# [SOLVED] iptables command won't forward a port

## johnklug

I am trying to redirect TCP 443 to 8443.

strace -f -o /tmp/trace.txt iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

iptables: No chain/target/match by that name.

22056 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 4

22056 fcntl(4, F_SETFD, FD_CLOEXEC)     = 0

22056 getsockopt(4, SOL_IP, 0x40 /* IP_??? */, "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0

22056 getsockopt(4, SOL_IP, 0x41 /* IP_??? */, "nat\0H\177\0\0X\\\257FH\177\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [824]) = 0

22056 setsockopt(4, SOL_IP, 0x40 /* IP_??? */, "nat\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1096) = -1 ENOENT (No such file or directory)

22056 close(4)                          = 0

22056 write(2, "iptables: No chain/target/match "..., 46) = 46

So is there something I have to do to create the NAT table?

# zgrep -E '^[^#]' config-3.17.7-gentoo | grep NF_CONN

CONFIG_NF_CONNTRACK=y

CONFIG_NF_CONNTRACK_SECMARK=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CONNTRACK_FTP=y

CONFIG_NF_CONNTRACK_IRC=y

CONFIG_NF_CONNTRACK_SIP=y

CONFIG_NF_CONNTRACK_IPV4=y

CONFIG_NF_CONNTRACK_PROC_COMPAT=y

CONFIG_NF_CONNTRACK_IPV6=y

Last edited by johnklug on Sat May 14, 2016 9:11 pm; edited 1 time in total

----------

## Syl20

Did you enable the REDIRECT target when compiling your kernel ? Is the module (if compiled it as a module) loaded ?

http://cateee.net/lkddb/web-lkddb/IP_NF_TARGET_REDIRECT.html

----------

## johnklug

I added the following two kernel configuration tags, and port redirection worked:

CONFIG_NETFILTER_XT_TARGET_REDIRECT=m

CONFIG_IP_NF_TARGET_REDIRECT=m

Not sure if both are needed.  

The doc from http://cateee.net/lkddb/web-lkddb/IP_NF_TARGET_REDIRECT.html says

This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_REDIRECT.

It may be that only CONFIG_NETFILTER_XT_TARGET_REDIRECT=m is needed.

----------

