Problem with DNAT from localhost to LAN via loopback

Jason Opperisano opie at
Thu Apr 14 22:19:28 CEST 2005

On Thu, Apr 14, 2005 at 10:01:14PM +0200, Charles Delorme wrote:
> Thank you for that tip. Are there any side effects for this compilation
> directive ?

not that i'm aware of.  i suppose if you want to split hairs, you're
forcing locally-generated packets to traverse an additional netfilter
hook.  dunno that i would be concerned about that though.

> I'm not sure to understand what kind of rule I need to add in the OUTPUT
> chain. Should I copy the kind of rule I have in the PREROUTING table ?

probably.  something like:

  iptables -t nat -A OUTPUT -p tcp -d $EXT_IP --dport 3739 \
    -j DNAT --to-destination

the result being that when the firewall tries to connect to its own
external IP on TCP port 3739, the connection gets DNAT-ed to the 38.9
machine--which i *think* is what you were after.


"Stewie: Careful! You're washing a baby's scalp, not scrubbing the vomit
 out of a Christmas dress, you stupid holiday drunk."
        --Family Guy

More information about the netfilter mailing list