On Tue, 30 Apr 2024, imnozi@xxxxxxxxx wrote: > Questions: > - Is lo ignored in PREROUTING? > - Is it possible to DNAT local traffic on FW_A (changing) the public IP to > the private IP on LAN_2? > - Would I specify '-i lo' in mangle:PREROUTING and nat:PREROUTING (as I do > for the real NICs)? > > The uber questions are: > - Should I be able to DNAT and SNAT traffic on lo just as I can on other > LANs, or do I need to take extra steps? Locally generated traffic does not pass nat PREROUTING chain - you need to add matching DNAT rules to the nat OUTPUT chain if you want dnat rewriting applied to it. And similar traffic targetting the local system (after DNAT) does not pass POSTROUTING, if you want such traffic SNAT'ed you need to use the nat INPUT chain. > - Is this a known oddity? or was it known back around Linux 3.16 and > iptables 1.6? (Don't ask; sometimes we're stuck in a place we don't > want to be.) c'ya sven-haegar -- Three may keep a secret, if two of them are dead. - Ben F.
