Loopback DNAT
in [Linux Networking]
|
From: André Hänsel on 3 Jul 2008 15:38 Hi, on a router I use # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j DNAT --to-destination 10.0.0.1 to direct web traffic to an internal machine. But when the router itself accesses 85.86.87.88:80 I get "connection refused". Shouldn't the "local" packet be NATed just like any other packet coming from outside? Regards, André
From: Pascal Hambourg on 3 Jul 2008 18:15 Hello, Andr� H�nsel a �crit : > > on a router I use > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > DNAT --to-destination 10.0.0.1 > > to direct web traffic to an internal machine. > > But when the router itself accesses 85.86.87.88:80 I get "connection > refused". > Shouldn't the "local" packet be NATed just like any other packet > coming from outside? No, locally generated packets don't go through the nat/PREROUTING chain. Use the OUTPUT chain to DNAT locally initiated connections.
From: André Hänsel on 3 Jul 2008 22:23 On Jul 4, 12:15 am, Pascal Hambourg <boite-a-s...(a)plouf.fr.eu.org> wrote: > Hello, > > André Hänsel a écrit : > > > > > on a router I use > > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > > DNAT --to-destination 10.0.0.1 > > > to direct web traffic to an internal machine. > > > But when the router itself accesses 85.86.87.88:80 I get "connection > > refused". > > Shouldn't the "local" packet be NATed just like any other packet > > coming from outside? > > No, locally generated packets don't go through the nat/PREROUTING chain. > Use the OUTPUT chain to DNAT locally initiated connections. Thanks so far. Could you give an overview which chains are traversed by local packets?
From: Pascal Hambourg on 4 Jul 2008 05:56 Andr� H�nsel a �crit : > > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
From: Pascal Hambourg on 4 Jul 2008 06:01 [Supersedes previous message] Andr� H�nsel a �crit : > > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V raw,mangle,nat(1),filter INPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V raw,mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
|
Next
|
Last
Pages: 1 2 Prev: Link failover with ping Next: redhat can't see network card on MSI K9NGM4 V2 |