Home / server / Questions / 551487
In Process
pts
Asked: 2013-11-08 13:02:35 +0800 CST

DNAT from localhost (127.0.0.1)

  • 772

I'd like to set up a TCP DNAT from 127.0.0.1, port 4242 to 11.22.33.44, port 5353 on Linux 3.x (currently 3.2.52, but I can upgrade if needed).

It looks like the simple DNAT rule setup doesn't work, telnet 127.0.0.1 4242 hangs for a minute in Trying 127.0.0.1..., and then it times out. Maybe it's because the kernel is discarding the returning packets (e.g. SYN+ACK), because it considers them Martian. I don't need an explanation why the simple solution doesn't work, I need a solution, even if it's complicated (e.g. it involves creating may rules).

I could set up a usual DNAT from another local IP address, outside the 127.0.0.0/8 network, but now I need 127.0.0.1 as the destination address. I know that I can set up a user-level port forwarding process, but now I need a solution which can be set up using iptables and doesn't need helper processes.

I was googling for this for an hour. It was asked multiple times, but I couldn't find any working solutions.

Also there are many questions about DNAT to 127.0.0.1, but I don't need that, I need the opposite.

Please note that a single iptables -j REDIRECT rule wouldn't work, because I need to change the IP address of the outgoing packet from 127.0.0.1 to 11.22.33.44, and -j REDIRECT can't change the IP address.

iptables

3 Answers

  1. This works for me, routing traffic from localhost:8081 to 172.17.0.1:80, where 172.17.0.1 is a veth behind the bridge interface named docker0.

    sysctl -w net.ipv4.conf.docker0.route_localnet=1
iptables -t nat -A OUTPUT -o lo -p tcp -m tcp --dport 8081 -j DNAT --to-destination 172.17.0.1:80
iptables -t nat -A POSTROUTING -o docker0 -m addrtype --src-type LOCAL --dst-type UNICAST -j MASQUERADE

    A key piece of the puzzle is the MASQUERADE rule.

    Further inspiration:

    • 6

  2. You will have to run the following three commands to make it work:

    iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 4242 -j DNAT --to 11.22.33.44:5353
sysctl -w net.ipv4.conf.eth0.route_localnet=1
iptables -t nat -A POSTROUTING -p tcp -s 127.0.0.1 -d 11.22.33.44 --dport 5353 -j SNAT --to $your-eth0-ip

    Here is the detailed explanation.

    The first command will do the DNAT as expected. However, if you try to capture packet with only this rule set, you will find you get nothing:

    tcpdump -i any -n port 5353

    This is because linux kernel drop this kind of packet by default, if the packet has 127.0.0.0/8 as one end, and an external ip address as the other end.

    The second command changes the kernel parameter, to let this kind of packet pass (of course, you should change eth0 accordingly). After this, when you capture packet on eth0, you will see packets sent out, but with source address 127.0.0.1 and destination address 11.22.33.44. Whether this packet can reach the target server or not (the intermediate routers will drop this packet), there is no way for this packet to return. So you should add an SNAT rule, to change the source address to your eth0's. And now it should work.

    • 5

  3. Is it something like this you need ? iptables port redirect not working for localhost

    iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8080

    Adrien

    • 1