Loopback DNAT
This is a discussion on Loopback DNAT within the Linux Networking forums, part of the Linux Forums category; Hi, on a router I use # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-03-2008
|
|||
|
|||
Loopback DNAT
Hi,
on a router I use # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j DNAT --to-destination 10.0.0.1 to direct web traffic to an internal machine. But when the router itself accesses 85.86.87.88:80 I get "connection refused". Shouldn't the "local" packet be NATed just like any other packet coming from outside? Regards, André 
|
|
07-03-2008
|
|||
|
|||
|
Re: Loopback DNAT
Hello,
André Hänsel a écrit : > > on a router I use > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > DNAT --to-destination 10.0.0.1 > > to direct web traffic to an internal machine. > > But when the router itself accesses 85.86.87.88:80 I get "connection > refused". > Shouldn't the "local" packet be NATed just like any other packet > coming from outside? No, locally generated packets don't go through the nat/PREROUTING chain. Use the OUTPUT chain to DNAT locally initiated connections.
|
|
07-04-2008
|
|||
|
|||
|
Re: Loopback DNAT
On Jul 4, 12:15*am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote: > Hello, > > André Hänsel a écrit : > > > > > on a router I use > > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > > DNAT --to-destination 10.0.0.1 > > > to direct web traffic to an internal machine. > > > But when the router itself accesses 85.86.87.88:80 I get "connection > > refused". > > Shouldn't the "local" packet be NATed just like any other packet > > coming from outside? > > No, locally generated packets don't go through the nat/PREROUTING chain. > Use the OUTPUT chain to DNAT locally initiated connections. Thanks so far. Could you give an overview which chains are traversed by local packets?
|
|
07-04-2008
|
|||
|
|||
|
Re: Loopback DNAT
André Hänsel a écrit :
> > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
|
|
07-04-2008
|
|||
|
|||
|
Re: Loopback DNAT
[Supersedes previous message]
André Hänsel a écrit : > > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V raw,mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V raw,mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
|
|
07-04-2008
|
|||
|
|||
|
Re: Loopback DNAT
[Supersedes previous message again, forgot to correct another mistake]
André Hänsel a écrit : > > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V raw,mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
|
Linear Mode
