I just encountered a linux/netfilter oddity. Simplified, I have FW_A with iface PUB to internet, another to internal LAN_1 and a third to LAN_2. Firewall rules on FW_A are properly set to:
- NAT traffic to/from PUB,
- block LAN_2 traffic from LAN_1
- allow LAN_1 traffic to LAN_2
- forward internet traffic to port 80 to SRVA_2 on LAN_2
On FW_A, in mangle:PREROUTING, XMARKs are set for traffic coming from LAN_1 and LAN_2. Example:
iptables -A portfwb -d 192.0.2.77/32 -i LAN_1 \
-j MARK --set-xmark 0x1/0xffffffff
Internet hosts access port 80 on SRVA_2. Hosts on LAN_1 access port 80 on SRVA_2 via the public IP. Even SRVA_2 can access itself (port 80) via the public IP.
What *doesn't* work is FW_A accessing port 80 on SRVA_2. This traffic does not get NATted and appears on lo with the public address(es). And since nothing on FW_A listens to port 80, the connection is rejected. I *expected* locally-generate traffic to be NATted just like remote traffic.
Questions:
- Is lo ignored in PREROUTING?
- Is it possible to DNAT local traffic on FW_A (changing) the public IP to
the private IP on LAN_2?
- Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do
for the real NICs)?
The uber questions are:
- Should I be able to DNAT and SNAT traffic on lo just as I can on other
LANs, or do I need to take extra steps?
- Is this a known oddity? or was it known back around Linux 3.16 and
iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't
want to be.)
Thanks,
Neal
