IPv4 NAT and lo, and iptables

IPv4 NAT and lo, and iptables

[imnozi]

I just encountered a linux/netfilter oddity. Simplified, I have FW_A with iface PUB to internet, another to internal LAN_1 and a third to LAN_2. Firewall rules on FW_A are properly set to:
  - NAT traffic to/from PUB,
  - block LAN_2 traffic from LAN_1
  - allow LAN_1 traffic to LAN_2
  - forward internet traffic to port 80 to SRVA_2 on LAN_2

On FW_A, in mangle:PREROUTING, XMARKs are set for traffic coming from LAN_1 and LAN_2. Example:
  iptables -A portfwb -d 192.0.2.77/32 -i LAN_1 \
    -j MARK --set-xmark 0x1/0xffffffff
Internet hosts access port 80 on SRVA_2. Hosts on LAN_1 access port 80 on SRVA_2 via the public IP. Even SRVA_2 can access itself (port 80) via the public IP.

What *doesn't* work is FW_A accessing port 80 on SRVA_2. This traffic does not get NATted and appears on lo with the public address(es). And since nothing on FW_A listens to port 80, the connection is rejected. I *expected* locally-generate traffic to be NATted just like remote traffic.

Questions:
  - Is lo ignored in PREROUTING?
  - Is it possible to DNAT local traffic on FW_A (changing) the public IP to
    the private IP on LAN_2?
  - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do
    for the real NICs)?

The uber questions are:
  - Should I be able to DNAT and SNAT traffic on lo just as I can on other
    LANs, or do I need to take extra steps?
  - Is this a known oddity? or was it known back around Linux 3.16 and
    iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't
    want to be.)

Thanks,
Neal

Re: IPv4 NAT and lo, and iptables

[Sven-Haegar Koch]

On Tue, 30 Apr 2024, imnozi@gmail.com wrote:

> Questions:
>   - Is lo ignored in PREROUTING?
>   - Is it possible to DNAT local traffic on FW_A (changing) the public IP to
>     the private IP on LAN_2?
>   - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do
>     for the real NICs)?
> 
> The uber questions are:
>   - Should I be able to DNAT and SNAT traffic on lo just as I can on other
>     LANs, or do I need to take extra steps?

Locally generated traffic does not pass nat PREROUTING chain - you need 
to add matching DNAT rules to the nat OUTPUT chain if you want dnat 
rewriting applied to it.

And similar traffic targetting the local system (after DNAT) does not 
pass POSTROUTING, if you want such traffic SNAT'ed you need to use the 
nat INPUT chain.

>   - Is this a known oddity? or was it known back around Linux 3.16 and
>     iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't
>     want to be.)

c'ya
sven-haegar

-- 
Three may keep a secret, if two of them are dead.
- Ben F.

Re: IPv4 NAT and lo, and iptables

[imnozi]

Thank you! It *is* an oddity; but it's the nature of the beast. Added two rules and it works.

Cheers 'n' beers!
Neal


On Wed, 1 May 2024 01:03:28 +0200 (CEST)
Sven-Haegar Koch <haegar@sdinet.de> wrote:

> On Tue, 30 Apr 2024, imnozi@gmail.com wrote:
> 
> > Questions:
> >   - Is lo ignored in PREROUTING?
> >   - Is it possible to DNAT local traffic on FW_A (changing) the public IP to
> >     the private IP on LAN_2?
> >   - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do
> >     for the real NICs)?
> > 
> > The uber questions are:
> >   - Should I be able to DNAT and SNAT traffic on lo just as I can on other
> >     LANs, or do I need to take extra steps?  
> 
> Locally generated traffic does not pass nat PREROUTING chain - you need 
> to add matching DNAT rules to the nat OUTPUT chain if you want dnat 
> rewriting applied to it.
> 
> And similar traffic targetting the local system (after DNAT) does not 
> pass POSTROUTING, if you want such traffic SNAT'ed you need to use the 
> nat INPUT chain.
> 
> >   - Is this a known oddity? or was it known back around Linux 3.16 and
> >     iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't
> >     want to be.)  
> 
> c'ya
> sven-haegar
>