Re: Port forwarding on host interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel Huhardeaux a écrit :
> 
> I would like to redirect an external port to another port on the same 
> machine.

REDIRECT is your friend.

> I read on some documents that the kernel doesn't allow DNAT to 
> 127.0.0.1 so I ended up with following setup:

This is not exactly right. NAT allows any address you like, but the
kernel routing prohibits packets with an address in the loopback range
on a non-loopback interface, regardless of NAT. It might be worth
mentionning that the routing decision occurs after the PREROUTING chain
and does not know about the original destination address. However DNAT
to 127.x.y.z works fine in the OUTPUT chain because the packets are
rerouted through the loopback interface and don't leave the host.

> let's say I want to redirect 59000 port on my 1.2.3.4 public IP to 5900 
> port on the same public IP *but a direct connection to 5900 port on the 
> public IP* is forbidden. At this time my packets are marked for iproute2 
> (2 ISP), mark 201 (isp1) or 202 (Isp2).
> 
> Has someone a tip for me?

You can drop packets to port 5900 in the mangle table before the nat
table. Or you can mark them in the mangle table and drop or reject them
later in the filter table (preferred).

> Is it true that forwarding to 127.0.0.1 can't be done?

If you mean IP forwarding, yes, for the same reason as above because IP
forwarding involves non-loopback interfaces. Note that what you want to
do is not IP forwarding.

If you mean what is commonly called "port forwarding" which is a form of
destination NAT, you can use loopback addresses as long as packets don't
leave or enter the host. As I wrote above, DNAT to 127.x.y.z works fine
in the OUTPUT chain.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux