TARGET cannot be at the end or rule fails to compile

[radeksimko]

This would be worth some further explanation 552e151, @javierbertoli

I have exactly the opposite issue - if the target is at the end and there's any option depending on that target, rule fails to compile, e.g. --to-ports depends on MASQUERADE or REDIRECT target:

-I PREROUTING -p tcp --dport 80 --to-ports 8000 -j REDIRECT

[root@localhost vagrant]# iptables-restore < /etc/sysconfig/iptables
iptables-restore v1.4.21: unknown option `--to-ports'
Error occurred at line: 31
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

I'm running on CentOS 6.4 with the very latest version of iptables - 1.4.21 compiled directly from the latest dev snapshot.
Which version/OS are you running?

Maybe there's just a difference between versions...

[javierbertoli]

Hi Radek, reading through iptables documentation, I understand that --to-ports and --random are extra options to the TARGETs MASQUERADE and REDIRECT specifically, and cannot be written before them. This is in accordance with your findings and explains them:

In your example the TARGET is actually REDIRECT --to-ports 8000 and not just REDIRECT (as --to-ports is a parameter of the TARGET itself and not of the CHAIN NAT). The same happens with other TARGETs, that accept extra options.

A quick fix (using exactly your same example) would be:

iptables::rule { 'complex_redirect_rule':
  table  => 'nat',
  chain  => 'PREROUTING',
  port   => '80',
  target => 'REDIRECT --to-ports 8000',
}

A possible long term solution would be to add an extra parameter to the iptables::rule define, like target_options or similar?