Problem with DNAT from localhost to LAN via loopback

Taylor, Grant gtaylor at riverviewtech.net
Thu Apr 14 20:06:49 CEST 2005


> My problem is from the linux box when trying "telnet [official WAN IP] 3739"
> which replies "connection refused". "tcpdump -nt -i lo" shows a simple SYN then
> RST. I've add LOG to chains (INPUT/FORWARD/OUTPUT/PREROUTING/POSTROUTING) and
> found this telnet connection does not go via the PREROUTING chain. So it
> doesn't find any local 3739 port listening so it is not redirected to the
> LAN... When I fire up a netcat listing on the port, I can get the connection -
> off course (but as I said before, configuration is more complicated and this
> test was mandatory)

Is this problem localized to just the Linux box it's self or does it extend to your inter LAN connected systems as well?

I was going to ask if you could DNAT internal traffic that was outbound to your WAN IP but after rereading your IPTables rules you are not specifying an interface to apply your rules to so they apply to all and thus you are doing exactly that.  The next question that comes to mind is are you by chance firewalling traffic that would come in the LAN interface and then turn around and go right back out the same LAN interface?  I.e. people set a default policy of DROP and explicitly allow $LAN to $INet and $INet to $LAN but not necessarily $LAN to $LAN.



Grant. . . .



More information about the netfilter mailing list