Problem with DNAT from localhost to LAN via loopback

Charles Delorme charles.delorme at suricat.net
Thu Apr 14 17:28:39 CEST 2005


Hello list...

I've read a lot in the archive about DNAT/loopback and redirect, but I still
haven't found what I'm looking for (ok, I had some U2 in my mind at that time.
Don't you now ? :-)

My configuration can be simplified as this (configuration is far more
complicated, but I assume you only need revelant informations) :
- a linux routeur/firewall/sshd/squid/etc with two interfaces (LAN -RFC1918 -
and WAN static official IP)
- a LAN machine hosting a P2P service (PixVillage photo sharing - nothing
illegal)
- the P2P protocol only knows about the WAN IP of the linux box.

I've configured PREROUTING entries and associated POSTROUTING which works
perfectly from internet or another machine on the LAN. A simple extract :

$IPTABLES -t nat -A PREROUTING -d $FW_INTERNET -p tcp --dport 3739 -j DNAT
--to-destination 192.168.38.9:3739
$IPTABLES -t nat -A POSTROUTING -s $LAN -d $LAN -p tcp --dport 3739 -j SNAT
--to-source $FW_INTERNET

My problem is from the linux box when trying "telnet [official WAN IP] 3739"
which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
found this telnet connection does not go via the PREROUTING chain. So it
doesn't find any local 3739 port listening so it is not redirected to the
LAN... When I fire up a netcat listing on the port, I can get the connection -
off course (but as I said before, configuration is more complicated and this
test was mandatory)

I've read in the archive this might be the normal behaviour, PREROUTING chain
being used only for external and not loopback connection. Is that true ?

Is there a solution via iptables to solve this ?

Or should I set up a local proxy listening on loopback to relay from 3739 to the
remote machine as if DNAT didn't exists ? Is so, can someone suggest a generic
tcp proxy I could use (even if this would be the worst solution since I don't
have only one port to relay like that...)

Thanks a lot !










More information about the netfilter mailing list