Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > Loopback DNAT

Reply
Thread Tools Display Modes

Loopback DNAT

 
 
André Hänsel
Guest
Posts: n/a

 
      07-03-2008, 07:38 PM
Hi,

on a router I use

# iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
DNAT --to-destination 10.0.0.1

to direct web traffic to an internal machine.

But when the router itself accesses 85.86.87.88:80 I get "connection
refused".
Shouldn't the "local" packet be NATed just like any other packet
coming from outside?

Regards,
André
 
Reply With Quote
 
 
 
 
Pascal Hambourg
Guest
Posts: n/a

 
      07-03-2008, 10:15 PM
Hello,

André Hänsel a écrit :
>
> on a router I use
>
> # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
> DNAT --to-destination 10.0.0.1
>
> to direct web traffic to an internal machine.
>
> But when the router itself accesses 85.86.87.88:80 I get "connection
> refused".
> Shouldn't the "local" packet be NATed just like any other packet
> coming from outside?

No, locally generated packets don't go through the nat/PREROUTING chain.
Use the OUTPUT chain to DNAT locally initiated connections.
 
Reply With Quote
 
André Hänsel
Guest
Posts: n/a

 
      07-04-2008, 02:23 AM
On Jul 4, 12:15*am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote:
> Hello,
>
> André Hänsel a écrit :
>
>
>
> > on a router I use
>
> > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
> > DNAT --to-destination 10.0.0.1
>
> > to direct web traffic to an internal machine.
>
> > But when the router itself accesses 85.86.87.88:80 I get "connection
> > refused".
> > Shouldn't the "local" packet be NATed just like any other packet
> > coming from outside?
>
> No, locally generated packets don't go through the nat/PREROUTING chain.
> Use the OUTPUT chain to DNAT locally initiated connections.

Thanks so far.

Could you give an overview which chains are traversed by local packets?
 
Reply With Quote
 
Pascal Hambourg
Guest
Posts: n/a

 
      07-04-2008, 09:56 AM
André Hänsel a écrit :
>
> Could you give an overview which chains are traversed by local packets?

- Locally generated packet routed through a non loopback interface :

[sending local process]
|
V
mangle,nat(1),filter INPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[output interface]

- Locally generated packet routed through the loopback interface :

[sending local process]
|
V
mangle,nat(1),filter INPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[loopback interface]
|
V
mangle PREROUTING chain
|
V
mangle,filter INPUT chains
|
V
[receiving local process]

(1) Only packets creating a new connection go through the nat chains.
The trick is that a packet is not considered creating a new connection
any more after leaving the POSTROUTING chains, so when it loops back, it
does not go through the nat/PREROUTING chain.
 
Reply With Quote
 
Pascal Hambourg
Guest
Posts: n/a

 
      07-04-2008, 10:01 AM
[Supersedes previous message]

André Hänsel a écrit :
>
> Could you give an overview which chains are traversed by local packets?

- Locally generated packet routed through a non loopback interface :

[sending local process]
|
V
raw,mangle,nat(1),filter OUTPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[output interface]

- Locally generated packet routed through the loopback interface :

[sending local process]
|
V
raw,mangle,nat(1),filter INPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[loopback interface]
|
V
raw,mangle PREROUTING chain
|
V
mangle,filter INPUT chains
|
V
[receiving local process]

(1) Only packets creating a new connection go through the nat chains.
The trick is that a packet is not considered creating a new connection
any more after leaving the POSTROUTING chains, so when it loops back, it
does not go through the nat/PREROUTING chain.
 
Reply With Quote
 
Pascal Hambourg
Guest
Posts: n/a

 
      07-04-2008, 10:03 AM
[Supersedes previous message again, forgot to correct another mistake]

André Hänsel a écrit :
>
> Could you give an overview which chains are traversed by local packets?

- Locally generated packet routed through a non loopback interface :

[sending local process]
|
V
raw,mangle,nat(1),filter OUTPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[output interface]

- Locally generated packet routed through the loopback interface :

[sending local process]
|
V
raw,mangle,nat(1),filter OUTPUT chains
|
V
mangle,nat(1) POSTROUTING chains
|
V
[loopback interface]
|
V
raw,mangle PREROUTING chain
|
V
mangle,filter INPUT chains
|
V
[receiving local process]

(1) Only packets creating a new connection go through the nat chains.
The trick is that a packet is not considered creating a new connection
any more after leaving the POSTROUTING chains, so when it loops back, it
does not go through the nat/PREROUTING chain.
 
Reply With Quote
 
 
 
Reply

« need help with port 113 and sendmail | MTU »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: problem with ethernet loopback test using loopback plug/stub: receiving socket not seeing packet. Rick Jones Linux Networking 10 08-22-2010 07:17 PM
Local DNAT? Frank Linux Networking 1 04-25-2006 05:42 AM
DNAT cap Windows Networking 0 01-18-2006 01:04 PM
Problems with DNAT. P. Kenter Linux Networking 3 03-04-2005 04:07 PM
Cant get DNAT working on 2.6.7 Joaco Linux Networking 4 08-10-2004 07:59 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11