3

Are DNAT and REDIRECT equivalent when applied to locally destined traffic?

view full story
linux-howto

http://serverfault.com – In setting up our OpenStack environment, I ran into a problem that was preventing instances from contacting a server running on the host. The metadata service (which exposes an HTTP API) runs on port 8775 on the host, and the OpenStack networking code adds the following DNAT rule to grant access via a special address on port 80: -A PREROUTING -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8775 Instances are connected to the host via a local bridge device, and 169.254.169.254 is assigned to lo. While this rule successfully matches packets originating (HowTos)

grtyyu's picture
Submitted by grtyyu on 06/20/2012 – Made popular on 06/20/2012

Stories similar to Are DNAT and REDIRECT equivalent when applied to locally destined traffic?

There are lots of questions on here about iptables DNAT/SNAT setups but I haven't found one that solves my current problem. I have services bound to the IP address of eth0 (e.g. 192.168.0.20) and I also have a IP address on eth0:0 (192.168.0.40) which is shared with another server. Only one server is active, so this alias interface comes and goes depending on which server is active.

I'm having problems with NX, it's doing strange things, trying to connect to some IP host in timbuktoo because my DNS provider's DNS sucks AND because NX is looking up the host "localhost" without first consulting my hosts file (which nsswitch explicitly tells it to do). THAT's all beside the point.

i have centos box with public ip on eth0 and private ip on eth1,4 pub ips are aliased on eth0.

I have written DNAT rule to NAT request on 1.1.1.3 to 10.10.10.3 it worked fine,

but when i add more DNAT rule it is not working.

I have an existing iptables setup that does port forwarding. In this port forwarding scenario there are some instances where I do not want it to port forward. So, for instance I have this defined:

iptables -A PREROUTING -t nat -i eth0 '!' -s 10.200.0.0/16 -p tcp --dport 80 -j DNAT --to 10.200.30.11

This will prevent 10.200/16 from accessing this rule.

Good day. I have a following issue - i have plenty of the computers in my local network(probably, about 40, and this amount could increase), and i want to give remote access to all of them from the internet. All those machines are connected to internal network through one gateway/firewall/whateverelse with debian 6.0.7 on board.

Iptables forwarding flapping 3 years 31 weeks ago

I hope I can articulate my problem is as few words as needed. I have two networks, each with their own firewalls and a IPsec connection between them 192.168.100.1 is one firewall(F8). It is also a virtual machine host for the web server: 192.168.100.5(F10)

192.168.700.1(F6) is my other firewall. 192.168.700.2(F6) is an application server behind it.

DNAT in SuSEFirewall2 3 years 19 weeks ago

Ok, I'm fighting with this for hours now. Here is the story:

I have a server with a XEN Virtual Machine. The VM uses the address 192.168.0.4. The same server uses two more network cards - one with the IP 192.168.0.1 and one with the IP 192.168.1.10.

Now - what I want to do is make a simple port redirection:

192.168.1.10:80 --> 192.168.0.4:80

Not sure if this should be here or in the security section.

I am developing software that dynamically manipulates netfilter/iptables rules (through system() calls of the command strings, I'm not trying to hack the netfilter code).

I have a linux box with two NIC cards: eth0 and eth1.

In one card i have 3 public IP:

eth0 = 10.10.10.1 eth0:1= 10.10.10.2 eth0:2= 10.10.10.3

In the other card I have one local IP

eth1 = 192.9.200.1

I want to redirect all the wan traffic for 10.10.10.2 to the LAN 192.9.200.2 and the same for 10.10.10.3 to 192.9.200.3

I have tried with this rule but doesn't work

iptables -t nat -A PRE