Problem with DNAT from localhost to LAN via loopback

Problem with DNAT from localhost to LAN via loopback

[Charles Delorme]

Hello list...

I've read a lot in the archive about DNAT/loopback and redirect, but I still
haven't found what I'm looking for (ok, I had some U2 in my mind at that time.
Don't you now ? :-)

My configuration can be simplified as this (configuration is far more
complicated, but I assume you only need revelant informations) :
- a linux routeur/firewall/sshd/squid/etc with two interfaces (LAN -RFC1918 -
and WAN static official IP)
- a LAN machine hosting a P2P service (PixVillage photo sharing - nothing
illegal)
- the P2P protocol only knows about the WAN IP of the linux box.

I've configured PREROUTING entries and associated POSTROUTING which works
perfectly from internet or another machine on the LAN. A simple extract :

$IPTABLES -t nat -A PREROUTING -d $FW_INTERNET -p tcp --dport 3739 -j DNAT
--to-destination 192.168.38.9:3739
$IPTABLES -t nat -A POSTROUTING -s $LAN -d $LAN -p tcp --dport 3739 -j SNAT
--to-source $FW_INTERNET

My problem is from the linux box when trying "telnet [official WAN IP] 3739"
which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
found this telnet connection does not go via the PREROUTING chain. So it
doesn't find any local 3739 port listening so it is not redirected to the
LAN... When I fire up a netcat listing on the port, I can get the connection -
off course (but as I said before, configuration is more complicated and this
test was mandatory)

I've read in the archive this might be the normal behaviour, PREROUTING chain
being used only for external and not loopback connection. Is that true ?

Is there a solution via iptables to solve this ?

Or should I set up a local proxy listening on loopback to relay from 3739 to the
remote machine as if DNAT didn't exists ? Is so, can someone suggest a generic
tcp proxy I could use (even if this would be the worst solution since I don't
have only one port to relay like that...)

Thanks a lot !

Re: Problem with DNAT from localhost to LAN via loopback

[Jason Opperisano]

On Thu, Apr 14, 2005 at 05:28:39PM +0200, Charles Delorme wrote:
> Hello list...
> 
> I've read a lot in the archive about DNAT/loopback and redirect, but I still
> haven't found what I'm looking for (ok, I had some U2 in my mind at that time.
> Don't you now ? :-)
> 
> My configuration can be simplified as this (configuration is far more
> complicated, but I assume you only need revelant informations) :
> - a linux routeur/firewall/sshd/squid/etc with two interfaces (LAN -RFC1918 -
> and WAN static official IP)
> - a LAN machine hosting a P2P service (PixVillage photo sharing - nothing
> illegal)
> - the P2P protocol only knows about the WAN IP of the linux box.
> 
> I've configured PREROUTING entries and associated POSTROUTING which works
> perfectly from internet or another machine on the LAN. A simple extract :
> 
> $IPTABLES -t nat -A PREROUTING -d $FW_INTERNET -p tcp --dport 3739 -j DNAT
> --to-destination 192.168.38.9:3739
> $IPTABLES -t nat -A POSTROUTING -s $LAN -d $LAN -p tcp --dport 3739 -j SNAT
> --to-source $FW_INTERNET
> 
> My problem is from the linux box when trying "telnet [official WAN IP] 3739"
> which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
> RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
> found this telnet connection does not go via the PREROUTING chain. So it
> doesn't find any local 3739 port listening so it is not redirected to the
> LAN... When I fire up a netcat listing on the port, I can get the connection -
> off course (but as I said before, configuration is more complicated and this
> test was mandatory)
> 
> I've read in the archive this might be the normal behaviour, PREROUTING chain
> being used only for external and not loopback connection. Is that true ?
> 
> Is there a solution via iptables to solve this ?

your kernel needs to be compiled with:

  CONFIG_IP_NF_NAT_LOCAL

in order to DNAT locally-generated packets.

IIRC you then put the DNAT rule in the nat table OUTPUT chain to modify
the destination of local packets.

-j

--
"Quagmire: Hey there little lady. Why don't you turn around and show
 me your Lower East Side.
 Woman (in deep voice): Sure.
 Quagmire: Whoa. Transvestite, back off. Wait a minute... pre-op
 or post-op?
 Woman: Pre-op.
 Quagmire: Whoa. Transvestite, back off."
        --Family Guy

Re: Problem with DNAT from localhost to LAN via loopback

[Charles Delorme]

>----- Original Message ----- 
>From: "Jason Opperisano" <opie@817west.com>
>Sent: Thursday, April 14, 2005 7:18 PM
> On Thu, Apr 14, 2005 at 05:28:39PM +0200, Charles Delorme wrote:
> > Hello list...
> > [..]
> your kernel needs to be compiled with:
>
>   CONFIG_IP_NF_NAT_LOCAL
>
> in order to DNAT locally-generated packets.
>

Thank you for that tip. Are there any side effects for this compilation
directive ?

> IIRC you then put the DNAT rule in the nat table OUTPUT chain to modify
> the destination of local packets.

I'm not sure to understand what kind of rule I need to add in the OUTPUT
chain. Should I copy the kind of rule I have in the PREROUTING table ?

Thanks.

Re: Problem with DNAT from localhost to LAN via loopback

[Jason Opperisano]

On Thu, Apr 14, 2005 at 10:01:14PM +0200, Charles Delorme wrote:
> Thank you for that tip. Are there any side effects for this compilation
> directive ?

not that i'm aware of.  i suppose if you want to split hairs, you're
forcing locally-generated packets to traverse an additional netfilter
hook.  dunno that i would be concerned about that though.

> I'm not sure to understand what kind of rule I need to add in the OUTPUT
> chain. Should I copy the kind of rule I have in the PREROUTING table ?

probably.  something like:

  iptables -t nat -A OUTPUT -p tcp -d $EXT_IP --dport 3739 \
    -j DNAT --to-destination 192.168.38.9:3739

the result being that when the firewall tries to connect to its own
external IP on TCP port 3739, the connection gets DNAT-ed to the 38.9
machine--which i *think* is what you were after.

-j

--
"Stewie: Careful! You're washing a baby's scalp, not scrubbing the vomit
 out of a Christmas dress, you stupid holiday drunk."
        --Family Guy

Re: Problem with DNAT from localhost to LAN via loopback

[Charles Delorme]

----- Original Message ----- 
From: "Jason Opperisano" <opie@817west.com>
Sent: Thursday, April 14, 2005 10:19 PM
> the result being that when the firewall tries to connect to its own
> external IP on TCP port 3739, the connection gets DNAT-ed to the 38.9
> machine--which i *think* is what you were after.
> 
It is... Let's re-compile... I'll keep you informed.

Re: Problem with DNAT from localhost to LAN via loopback

[Taylor, Grant]

> My problem is from the linux box when trying "telnet [official WAN IP] 3739"
> which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
> RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
> found this telnet connection does not go via the PREROUTING chain. So it
> doesn't find any local 3739 port listening so it is not redirected to the
> LAN... When I fire up a netcat listing on the port, I can get the connection -
> off course (but as I said before, configuration is more complicated and this
> test was mandatory)

Is this problem localized to just the Linux box it's self or does it extend to your inter LAN connected systems as well?

I was going to ask if you could DNAT internal traffic that was outbound to your WAN IP but after rereading your IPTables rules you are not specifying an interface to apply your rules to so they apply to all and thus you are doing exactly that.  The next question that comes to mind is are you by chance firewalling traffic that would come in the LAN interface and then turn around and go right back out the same LAN interface?  I.e. people set a default policy of DROP and explicitly allow $LAN to $INet and $INet to $LAN but not necessarily $LAN to $LAN.



Grant. . . .