Output port redirect going to loopback?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have the following nat table:
table inet nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                tcp dport 10999 counter packets 0 bytes 0 redirect to :9999
        }

        chain input {
                type nat hook input priority 100; policy accept;
        }

        chain output {
                type nat hook output priority -100; policy accept;
                oif "eth0" ip daddr 172.16.5.220 meta nftrace set 1
                oifname "eth0" tcp dport 9999 counter packets 620 bytes 37200 redirect to :10999
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }
}

I would expect to connect outbound on 9999 and have it redirect to 10999 and reach an IP address on my subnet, for example:
# telnet 172.16.5.220 9999
Trying 172.16.5.220...
telnet: Unable to connect to remote host: Connection refused

Note that the redirected port is listening:
# telnet 172.16.5.220 10999
Trying 172.16.5.220...
Connected to 172.16.5.220.
Escape character is '^]'.

Using TCP dump on the target host, I see no packets arriving.  After adding the above trace rule to the output chain, I get the following:
trace id e99d6c43 inet nat output packet: oif "eth0" ip saddr 172.16.5.224 ip daddr 172.16.5.220 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 48255 ip protocol tcp ip length 60 tcp sport 56064 tcp dport 9999 tcp flags == syn tcp window 65535
trace id e99d6c43 inet nat output rule oif "eth0" ip daddr 172.16.5.220 meta nftrace set 1 (verdict continue)
trace id e99d6c43 inet nat output rule oifname "eth0" tcp dport 9999 counter packets 83 bytes 4980 redirect to :10999 (verdict accept)
trace id e99d6c43 inet nat postrouting packet: oif "lo" ip saddr 172.16.5.224 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 48255 ip protocol tcp ip length 60 tcp sport 56064 tcp dport 10999 tcp flags == syn tcp window 65535
trace id e99d6c43 inet nat postrouting verdict continue
trace id e99d6c43 inet nat postrouting policy accept
trace id 1045fc5d inet sgfilter input packet: iif "lo" @ll,0,112 2048 ip saddr 172.16.5.224 ip daddr 127.0.0.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 48255 ip protocol tcp ip length 60 tcp sport 56064 tcp dport 10999 tcp flags == syn tcp window 65535
trace id 1045fc5d inet sgfilter input rule iifname "lo" accept (verdict accept)

Note that the IP ID on the second trace ID is the same as the previous one.  Apparently, my outbound redirect is being redirected to localhost.
How can I redirect traffic to arbitrary remote IP addresses from port 9999 to port 10999?







[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux