Near as I can tell, packets originating on the host are skipping the
nat:PREROUTING rule... This is before routing, so wouldn't externally-
generated packets and internally-generated packets follow the exact
same path?
Background:
I'm trying to forward some ports on the host to a virtual machine.
This is on libvirt's default masquerading/bridged network setup.
Let's add some rules to forward the port with DNAT:
iptables -t nat -I PREROUTING -p tcp -d 173.233.67.174 \
--dport 25 -j DNAT --to 192.168.122.10:25
iptables -t filter -I FORWARD -p tcp --dport 25 -j ACCEPT
This almost works... Traffic from outside is great. However, traffic
originating on the host fails. It doesn't get NATed, it just terminates
on the host.
Here's what I think is happening:
- The packet originates on the host: 1.2.3.4:55555 -> 1.2.3.4:25
- It runs through the output chains unmodified. Good.
- It reappears as input.
Now I would expect that the nat:PREROUTING rule would fire, DNATing
the packet out to the VM.
However, that never happens. Traffic from outside does hit nat:PREROUTING,
yes, but traffic originating on the host never does.
To test this, I copied the nat:PREROUTING rule to the nat:OUTPUT chain,
so the packets are DNATed in the output stage instead of the input:
iptables -t nat -I OUTPUT p tcp -d 173.233.67.174 \
--dport 25 -j DNAT --to-destination 192.168.122.10:25
And everything works!
Here's the raw data: https://gist.github.com/bronson/6fa02c4515f95b104ec1
Thanks for any insight.
- Scott
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
