Loopback DNAT - Networking

This is a discussion on Loopback DNAT - Networking ; Hi, on a router I use # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j DNAT --to-destination 10.0.0.1 to direct web traffic to an internal machine. But when the router itself accesses 85.86.87.88:80 I get "connection ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Loopback DNAT

  1. Loopback DNAT

    Hi,

    on a router I use

    # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
    DNAT --to-destination 10.0.0.1

    to direct web traffic to an internal machine.

    But when the router itself accesses 85.86.87.88:80 I get "connection
    refused".
    Shouldn't the "local" packet be NATed just like any other packet
    coming from outside?

    Regards,
    André

  2. Re: Loopback DNAT

    Hello,

    André Hänsel a écrit :
    >
    > on a router I use
    >
    > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
    > DNAT --to-destination 10.0.0.1
    >
    > to direct web traffic to an internal machine.
    >
    > But when the router itself accesses 85.86.87.88:80 I get "connection
    > refused".
    > Shouldn't the "local" packet be NATed just like any other packet
    > coming from outside?


    No, locally generated packets don't go through the nat/PREROUTING chain.
    Use the OUTPUT chain to DNAT locally initiated connections.

  3. Re: Loopback DNAT

    On Jul 4, 12:15*am, Pascal Hambourg
    wrote:
    > Hello,
    >
    > André Hänsel a écrit :
    >
    >
    >
    > > on a router I use

    >
    > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j
    > > DNAT --to-destination 10.0.0.1

    >
    > > to direct web traffic to an internal machine.

    >
    > > But when the router itself accesses 85.86.87.88:80 I get "connection
    > > refused".
    > > Shouldn't the "local" packet be NATed just like any other packet
    > > coming from outside?

    >
    > No, locally generated packets don't go through the nat/PREROUTING chain.
    > Use the OUTPUT chain to DNAT locally initiated connections.


    Thanks so far.

    Could you give an overview which chains are traversed by local packets?

  4. Re: Loopback DNAT

    André Hänsel a écrit :
    >
    > Could you give an overview which chains are traversed by local packets?


    - Locally generated packet routed through a non loopback interface :

    [sending local process]
    |
    V
    mangle,nat(1),filter INPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [output interface]

    - Locally generated packet routed through the loopback interface :

    [sending local process]
    |
    V
    mangle,nat(1),filter INPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [loopback interface]
    |
    V
    mangle PREROUTING chain
    |
    V
    mangle,filter INPUT chains
    |
    V
    [receiving local process]

    (1) Only packets creating a new connection go through the nat chains.
    The trick is that a packet is not considered creating a new connection
    any more after leaving the POSTROUTING chains, so when it loops back, it
    does not go through the nat/PREROUTING chain.

  5. Re: Loopback DNAT

    [Supersedes previous message]

    André Hänsel a écrit :
    >
    > Could you give an overview which chains are traversed by local packets?


    - Locally generated packet routed through a non loopback interface :

    [sending local process]
    |
    V
    raw,mangle,nat(1),filter OUTPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [output interface]

    - Locally generated packet routed through the loopback interface :

    [sending local process]
    |
    V
    raw,mangle,nat(1),filter INPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [loopback interface]
    |
    V
    raw,mangle PREROUTING chain
    |
    V
    mangle,filter INPUT chains
    |
    V
    [receiving local process]

    (1) Only packets creating a new connection go through the nat chains.
    The trick is that a packet is not considered creating a new connection
    any more after leaving the POSTROUTING chains, so when it loops back, it
    does not go through the nat/PREROUTING chain.

  6. Re: Loopback DNAT

    [Supersedes previous message again, forgot to correct another mistake]

    André Hänsel a écrit :
    >
    > Could you give an overview which chains are traversed by local packets?


    - Locally generated packet routed through a non loopback interface :

    [sending local process]
    |
    V
    raw,mangle,nat(1),filter OUTPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [output interface]

    - Locally generated packet routed through the loopback interface :

    [sending local process]
    |
    V
    raw,mangle,nat(1),filter OUTPUT chains
    |
    V
    mangle,nat(1) POSTROUTING chains
    |
    V
    [loopback interface]
    |
    V
    raw,mangle PREROUTING chain
    |
    V
    mangle,filter INPUT chains
    |
    V
    [receiving local process]

    (1) Only packets creating a new connection go through the nat chains.
    The trick is that a packet is not considered creating a new connection
    any more after leaving the POSTROUTING chains, so when it loops back, it
    does not go through the nat/PREROUTING chain.

+ Reply to Thread