Routing external address to loopback

Hello,

I am having a slight problem with a service that needs to reserve IP
addresses the host doesn't have at the time the service starts (It is
supposed to operate in backup mode).

I've been trying to actually use loopback addresses for the service and
then route the external address to the loopback address, but this
doesn't seem to work properly.

#!/bin/bash
iptables -t nat -A POSTROUTING --source 127.0.1.3 \
-j SNAT --to-source 10.120.1.3
iptables -t nat -A PREROUTING --destination 10.120.1.3 \
-j DNAT --to-destination 127.0.1.3
echo 1 > /proc/sys/net/ipv4/ip_forward
#End sample

If I do that I cannot even ping the external address (10.123.1.3) from
any other host; only from the host in quiestion itsself.
The FORWARD chain of the filter table is empty with an ACCEPT policy.

Did I forget something? Or is it generally impossible to route something
to loopback?

Thanks for help,
Björn

Hello,

Björn Keil a écrit :
>
> iptables -t nat -A POSTROUTING --source 127.0.1.3 \
> -j SNAT --to-source 10.120.1.3
> iptables -t nat -A PREROUTING --destination 10.120.1.3 \
> -j DNAT --to-destination 127.0.1.3

This does not work.

> echo 1 > /proc/sys/net/ipv4/ip_forward

This is useless for your purpose. Your box is not forwarding. NAT is not
forwarding.

> If I do that I cannot even ping the external address (10.123.1.3) from
> any other host; only from the host in quiestion itsself.

Correct.

> The FORWARD chain of the filter table is empty with an ACCEPT policy.

Irrelevant.

> Did I forget something? Or is it generally impossible to route something
> to loopback?

This is a known problem. It is impossible to NAT external communications
when loopback addresses are involved, because such addresses are
prohibited outside a host and the routing code doesn't know that the
packet was DNATed or will be SNATed.

A workaround is to use a non-loopback address for your service.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> Björn Keil writes:


Björn> Hello,

Björn> I am having a slight problem with a service that needs to reserve IP
Björn> addresses the host doesn't have at the time the service starts (It is
Björn> supposed to operate in backup mode).

Björn> I've been trying to actually use loopback addresses for theservice and
Björn> then route the external address to the loopback address, but this
Björn> doesn't seem to work properly.

Björn> #!/bin/bash
Björn> iptables -t nat -A POSTROUTING --source 127.0.1.3 \
Björn> -j SNAT --to-source 10.120.1.3
Björn> iptables -t nat -A PREROUTING --destination 10.120.1.3 \
Björn> -j DNAT --to-destination 127.0.1.3
Björn> echo 1 > /proc/sys/net/ipv4/ip_forward
Björn> #End sample

- ---- Quoting from iptables(8):
REDIRECT
This target is only valid in the nat table, in the PREROUTING
and OUTPUT chains, and user-defined chains which are only called from
those chains. It redirects the packet to the machine itself by
changing the destination IP to the primary address of the incoming
interface (locally-generated packets are mapped to the 127.0.0.1
address). It takes one option:

--to-ports port[-port]
This specifies a destination port or range of ports to
use: without this, the destination port is never altered.
This is only valid if the rule also specifies -p tcp or -p
udp.

--random
If option --random is used then port mapping will be
randomized (kernel >= 2.6.22).
- ---- End Quote

HTH
- --
Ashish Shukla आशीष श�क�ल http://wahjava.wordpress.com/
·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- --
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkgu11cACgkQHy+EEHYuXnQOWQCgoarQpaYlF0 s87X2RPvSB9xJU
muAAnA+8wESkvRQxbu+5dgb92zcMGF9u
=41ch
-----END PGP SIGNATURE-----