From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Problem with DNAT from localhost to LAN via loopback
Date: Thu, 14 Apr 2005 13:18:47 -0400 [thread overview]
Message-ID: <20050414171847.GA2040@bender.817west.com> (raw)
In-Reply-To: <1113492519.425e8c27488ab@imp1-q.free.fr>
On Thu, Apr 14, 2005 at 05:28:39PM +0200, Charles Delorme wrote:
> Hello list...
>
> I've read a lot in the archive about DNAT/loopback and redirect, but I still
> haven't found what I'm looking for (ok, I had some U2 in my mind at that time.
> Don't you now ? :-)
>
> My configuration can be simplified as this (configuration is far more
> complicated, but I assume you only need revelant informations) :
> - a linux routeur/firewall/sshd/squid/etc with two interfaces (LAN -RFC1918 -
> and WAN static official IP)
> - a LAN machine hosting a P2P service (PixVillage photo sharing - nothing
> illegal)
> - the P2P protocol only knows about the WAN IP of the linux box.
>
> I've configured PREROUTING entries and associated POSTROUTING which works
> perfectly from internet or another machine on the LAN. A simple extract :
>
> $IPTABLES -t nat -A PREROUTING -d $FW_INTERNET -p tcp --dport 3739 -j DNAT
> --to-destination 192.168.38.9:3739
> $IPTABLES -t nat -A POSTROUTING -s $LAN -d $LAN -p tcp --dport 3739 -j SNAT
> --to-source $FW_INTERNET
>
> My problem is from the linux box when trying "telnet [official WAN IP] 3739"
> which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
> RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
> found this telnet connection does not go via the PREROUTING chain. So it
> doesn't find any local 3739 port listening so it is not redirected to the
> LAN... When I fire up a netcat listing on the port, I can get the connection -
> off course (but as I said before, configuration is more complicated and this
> test was mandatory)
>
> I've read in the archive this might be the normal behaviour, PREROUTING chain
> being used only for external and not loopback connection. Is that true ?
>
> Is there a solution via iptables to solve this ?
your kernel needs to be compiled with:
CONFIG_IP_NF_NAT_LOCAL
in order to DNAT locally-generated packets.
IIRC you then put the DNAT rule in the nat table OUTPUT chain to modify
the destination of local packets.
-j
--
"Quagmire: Hey there little lady. Why don't you turn around and show
me your Lower East Side.
Woman (in deep voice): Sure.
Quagmire: Whoa. Transvestite, back off. Wait a minute... pre-op
or post-op?
Woman: Pre-op.
Quagmire: Whoa. Transvestite, back off."
--Family Guy
next prev parent reply other threads:[~2005-04-14 17:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 15:28 Problem with DNAT from localhost to LAN via loopback Charles Delorme
2005-04-14 17:18 ` Jason Opperisano [this message]
2005-04-14 20:01 ` Charles Delorme
2005-04-14 20:19 ` Jason Opperisano
2005-04-14 23:59 ` Charles Delorme
2005-04-14 18:06 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050414171847.GA2040@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.