IPv4 NAT and lo, and iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I just encountered a linux/netfilter oddity. Simplified, I have FW_A with iface PUB to internet, another to internal LAN_1 and a third to LAN_2. Firewall rules on FW_A are properly set to:
  - NAT traffic to/from PUB,
  - block LAN_2 traffic from LAN_1
  - allow LAN_1 traffic to LAN_2
  - forward internet traffic to port 80 to SRVA_2 on LAN_2

On FW_A, in mangle:PREROUTING, XMARKs are set for traffic coming from LAN_1 and LAN_2. Example:
  iptables -A portfwb -d 192.0.2.77/32 -i LAN_1 \
    -j MARK --set-xmark 0x1/0xffffffff
Internet hosts access port 80 on SRVA_2. Hosts on LAN_1 access port 80 on SRVA_2 via the public IP. Even SRVA_2 can access itself (port 80) via the public IP.

What *doesn't* work is FW_A accessing port 80 on SRVA_2. This traffic does not get NATted and appears on lo with the public address(es). And since nothing on FW_A listens to port 80, the connection is rejected. I *expected* locally-generate traffic to be NATted just like remote traffic.

Questions:
  - Is lo ignored in PREROUTING?
  - Is it possible to DNAT local traffic on FW_A (changing) the public IP to
    the private IP on LAN_2?
  - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do
    for the real NICs)?

The uber questions are:
  - Should I be able to DNAT and SNAT traffic on lo just as I can on other
    LANs, or do I need to take extra steps?
  - Is this a known oddity? or was it known back around Linux 3.16 and
    iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't
    want to be.)

Thanks,
Neal




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux