Re: Using DNAT and SNAT to do a local redirection does not work (want to do what rinetd does with iptables)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefan Mayr <stefan@mayr-stefan.de>
To: netfilter@lists.netfilter.org
Subject: Re: Using DNAT and SNAT to do a local redirection does not work (want to do what rinetd does with iptables)
Date: Sat, 09 Jun 2007 21:25:51 +0200	[thread overview]
Message-ID: <466AFEBF.6000609@mayr-stefan.de> (raw)
In-Reply-To: <4668A01A.9060304@riverviewtech.net>

Grant Taylor wrote:
> On 6/7/2007 3:30 PM, Stefan Mayr wrote:
> 
> If you are using the loop back interface, this will not work.

An answer I often read but nobody says what's wrong with loopback. I
thought it depended on the rules of the scenarios (obviously too much
thinking involved here).

> 
> You are using the loop back interface. Loop back is a very special
> network interface.  If I recall correctly, it will only allow its self
> to talk to it.  Thus you can not NAT traffic in to the loop back
> interface.  The kernel will block this.  I think this is why you are
> seeing the RST packets.

I really have to thank you for this enlightenment.

> Try using a dummy network interface, or an ethernet interface that is
> not connected to any thing.

I used dummy0 and now my iptables ruleset works.

> You could also probably bind the address to the main ethernet interface
> and use ARPTables to prevent each node from responding to ARP request by
> preventing it from ever seeing the ARP request.  The ARP issue (as I'm
> sure you are aware) is why you usually use other interfaces.

That is why I used the loopback-device and my /etc/sysctl.conf contains
the following lines:
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

So arp-requests/announces are always answered/sent from the right interface.

Now the lesson is learned, setup is up and running.

Thanks,

	Stefan

next prev parent reply	other threads:[~2007-06-09 19:25 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-06-07 20:30 Using DNAT and SNAT to do a local redirection does not work (want to do what rinetd does with iptables) Stefan Mayr
2007-06-08  0:17 ` Grant Taylor
2007-06-09 19:25   ` Stefan Mayr [this message]
2007-06-09 23:43     ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=466AFEBF.6000609@mayr-stefan.de \
    --to=stefan@mayr-stefan.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.