On Friday 06 August 2004 18:13, Jason Opperisano wrote: > however, after some further testing--your original DNAT *should* > work--the problem is probably somewhere in your filter rules. i just > tested this with a machine that has sendmail bound only to 127.0.0.1: [..] > note the inbound interface is "lo" and both the src and dst IP's are > 127.0.0.1. if you need to filter this kind of connection--make sure > you specify a "-s x.x.x.x" in your DNAT rule. Apologies if I am taking your mail seriously out of context, I missed the original mail. In short, DNAT to 127/8 wont work unless both source and destination IPs are 127/8. This is correct and is to do with the way the kernel filters "martians". If you want to DNAT from an external interface to loopback, bind a private (RFC1918) address to loopback, then DNAT to that address. For more, I posted the following a while back: http://www.linuxarkivet.se/mlists/netfilter/0403/msg00770.html The idea of binding an RFC1918 address to loopback to solve the issue was provided as a follow-up to that mail by somebody else. David
