Hello, Serge Kosyrev a écrit : > > Is it possible to DNAT locally-originated, locally-destined packets to a > non-local destination? Sometimes, but not alway. > The use-case is port forwarding to a locally-routed VM guest. > For externally originating access the following is adequate: > > iptables -t nat -A PREROUTING -d external.iface.ip -p tcp --dport 80 -j DNAT --to-destination target.ip.add.ress > > A logical complement for locally originating accesses would have been: > > iptables -t nat -A OUTPUT -d 127.0.0.0/16 -p tcp --dport 80 -j DNAT --to-destination target.ip.add.ress > > ..but all I can observe is silent packet disappearance, which I presume > takes place during routing decision-making immediately following the > processing by the OUTPUT chain of the nat table. Yes, packets are discarded because the output interface is non-loopback and the source address is within 127.0.0.0/8, which is restrited to loopback. Unfortunately you can only change the source address in POSTROUTING, which comes too late. > So, is it possible at all, or should I go the userspace port forwarding way? It is possible if the original source adress is not within 127.0.0.0/8. For local destinations the default source adresse is the same as the destination, but some applications allow to specify a different address. However why don't you use the same destination address external.iface.ip as in the PREROUTING rule, so that the default source adress would not be a loopback address ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
