 |
 |
|
|
|
|
Welcome to the { mindfrost82.com } forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Display Modes |
07-03-2008, 08:38 PM
|
|||
|
|||
|
Loopback DNAT
Hi,
on a router I use # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j DNAT --to-destination 10.0.0.1 to direct web traffic to an internal machine. But when the router itself accesses 85.86.87.88:80 I get "connection refused". Shouldn't the "local" packet be NATed just like any other packet coming from outside? Regards, André 
|
|
07-03-2008, 11:15 PM
|
|||
|
|||
|
Re: Loopback DNAT
Hello,
André Hänsel a écrit : > > on a router I use > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > DNAT --to-destination 10.0.0.1 > > to direct web traffic to an internal machine. > > But when the router itself accesses 85.86.87.88:80 I get "connection > refused". > Shouldn't the "local" packet be NATed just like any other packet > coming from outside? No, locally generated packets don't go through the nat/PREROUTING chain. Use the OUTPUT chain to DNAT locally initiated connections.
|
|
07-04-2008, 03:23 AM
|
|||
|
|||
|
Re: Loopback DNAT
On Jul 4, 12:15*am, Pascal Hambourg <boite-a-s...@plouf.fr.eu.org>
wrote: > Hello, > > André Hänsel a écrit : > > > > > on a router I use > > > # iptables -t nat -A PREROUTING -p tcp -d 85.86.87.88 --dport 80 -j > > DNAT --to-destination 10.0.0.1 > > > to direct web traffic to an internal machine. > > > But when the router itself accesses 85.86.87.88:80 I get "connection > > refused". > > Shouldn't the "local" packet be NATed just like any other packet > > coming from outside? > > No, locally generated packets don't go through the nat/PREROUTING chain. > Use the OUTPUT chain to DNAT locally initiated connections. Thanks so far. Could you give an overview which chains are traversed by local packets?
|
|
07-04-2008, 11:03 AM
|
|||
|
|||
|
Re: Loopback DNAT
[Supersedes previous message again, forgot to correct another mistake]
André Hänsel a écrit : > > Could you give an overview which chains are traversed by local packets? - Locally generated packet routed through a non loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [output interface] - Locally generated packet routed through the loopback interface : [sending local process] | V raw,mangle,nat(1),filter OUTPUT chains | V mangle,nat(1) POSTROUTING chains | V [loopback interface] | V raw,mangle PREROUTING chain | V mangle,filter INPUT chains | V [receiving local process] (1) Only packets creating a new connection go through the nat chains. The trick is that a packet is not considered creating a new connection any more after leaving the POSTROUTING chains, so when it loops back, it does not go through the nat/PREROUTING chain.
|
|
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
