DNAT for locally generated traffic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi list,

I've just been spending a few hours try to DNAT locally generated traffic=
 without success :(

I'd like all outbound traffic to port 5000 to be directed to host 172.22.=
40.103. So, here is what I did :

iptables -t nat -A PREROUTING -p tcp --dport 5000 -j DNAT --to 172.22.40.=
103

Didn't work. Using iptables -t nat -L -v, I saw with the counters the rul=
e had *not* been used. As the traffic is locally generated (not forwarded=
), I suspected I should use the OUTPUT chain instead,
and issued :

iptables -t nat -A OUTPUT -p tcp --dport 5000 -j DNAT --to 172.22.40.103

Which produced the unexpected "iptables: Invalid argument" error :(

I'm a bit confused because the syntax looks OK, and inserting a logging r=
ule in the output chain proves that it is really traversed.=20

I'm stuck. Any help greatly appreciated :)


8<--------------------------------------------------------------------
[root@sscdmz1 root]# uname -r
2.4.18-10custom

[root@sscdmz1 root]# iptables -V
iptables v1.2.5

[root@sscdmz1 root]# iptables-save -t nat
# Generated by iptables-save v1.2.5 on Fri Nov 15 11:53:03 2002
*nat
:PREROUTING ACCEPT [6:1296]
:POSTROUTING ACCEPT [30:2064]
:OUTPUT ACCEPT [30:2064]
-A PREROUTING -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.22.=
40.103
-A POSTROUTING -p tcp -m tcp --dport 5000 -j LOG --log-prefix "POSTROUTIN=
G"
-A OUTPUT -p tcp -m tcp --dport 5000 -j LOG --log-prefix "OUTPUT"
COMMIT
# Completed on Fri Nov 15 11:53:03 2002

[root@sscdmz1 root]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 15 packets, 4076 bytes)
 pkts bytes target     prot opt in     out     source               desti=
nation
    0     0 DNAT       tcp  --  any    any     anywhere             anywh=
ere           tcp dpt:5000 to:172.22.40.103

Chain POSTROUTING (policy ACCEPT 81 packets, 5652 bytes)
 pkts bytes target     prot opt in     out     source               desti=
nation
   14   840 LOG        tcp  --  any    any     anywhere             anywh=
ere           tcp dpt:5000 LOG level warning pr
efix `POSTROUTING'

Chain OUTPUT (policy ACCEPT 81 packets, 5652 bytes)
 pkts bytes target     prot opt in     out     source               desti=
nation
   14   840 LOG        tcp  --  any    any     anywhere             anywh=
ere           tcp dpt:5000 LOG level warning pr
efix `OUTPUT'

8<--------------------------------------------------------------------

--=20
S=E9bastien Bonnet
  Centre de contacts - Experian France
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux