I would like to automatically handle packets in the OUTPUT chain of the NAT table (which are generated locally) like if they come from outside (via PREROUTING).
Is is possible to use a "forward everything to PREROUTING" as fallback / last rule in the OUTPUT chain?
E.g., given the following NAT-forwarding:
iptables -t nat -A PREROUTING -p TCP -d $EXT.IP.ADD.RESS \
--dport 80 -j DNAT --to-destination $INT.IP.ADD.RESS:80
I have to setup a matching OUTPUT rule:
iptables -t nat -A OUTPUT -p TCP -d $EXT.IP.ADD.RESS \
--dport 80 -j DNAT --to-destination $INT.IP.ADD.RESS:80
When logging these packets (via iptables -t nat -A OUTPUT -p TCP -d $EXT.IP.ADD.RESS -j LOG), they look like:
IN= OUT=lo SRC=$EXT.IP.ADD.RESS DST=$EXT.IP.ADD.RESS LEN=60 \
TOS=0x00 PREC=0x00 TTL=64 ID=22348 DF PROTO=TCP SPT=59425 \
DPT=25 WINDOW=32792 RES=0x00 SYN URGP=0
I've tried something like the following, but it did not work:
iptables -t nat -A OUTPUT -p TCP -d $EXT.IP.ADD.RESS -j DNAT \
--to $EXT.IP.ADD.RESS
I am using the following macro/block now for every mapping of a port to an internal machine:
iptables -t nat -A PREROUTING -p TCP -d $EXT.IP.ADD.RESS --dport 25 \
-j DNAT --to-destination 10.122.1.25:25
iptables -t nat -A OUTPUT -p TCP -d $EXT.IP.ADD.RESS --dport 25 \
-j DNAT --to-destination 10.122.1.25:25
iptables -t nat -A POSTROUTING -p TCP -s 10.122.1.25 -d 10.122.1.25 --dport 25 \
-j SNAT --to 10.122.1.1
10.122.1.1 is the firewall, and 10.122.1.25 the container (mail server).
I have only added the last rule ("POSTROUTING") lately, which allows for the container to reach itself.
Yes, this is called
NAT Loopbackand it requires you to SNAT your locally generated packets to your external IP. This will cause your packets to loop back around and go through your PREROUTING chain.What do you intend to accomplish with reinjecting locally-generated packets (not forwarding) into PREROUTING? If you dislike the redundancy you have there, you can create a new user-defined chain, put the rule in there, and call this chain from PREROUTING and OUTPUT.