11

I'd like to redirect local requests to port which is translated with NAT. I have following rules:

iptables -t nat -A PREROUTING -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80

however request coming from localhost are rejected:

wget http://127.0.0.1:9020 Connecting to 127.0.0.1:9020... failed: Connection refused.

When I'm connecting from any other computer it works. Is there a way how to do this without recompiling kernel with CONFIG_IP_NF_NAT_LOCAL=y? https://wiki.debian.org/Firewalls-local-port-redirection (which seems to be obsolete).

Update:

iptables -L -v -n --line-numbers -t nat:

Chain PREROUTING (policy ACCEPT 26 packets, 3230 bytes) num pkts bytes target prot opt in out source destination 4 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9020 to:10.0.3.11:80 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 MASQUERADE all -- * * 10.0.0.0/16 0.0.0.0/0
Improve this question
0

1 Answer 1

Reset to default
12

Based on @Hauke Laging comments I put together this:

# connections from outside iptables -t nat -A PREROUTING -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80 # for local connection iptables -t nat -A OUTPUT -p tcp --dport 9020 -j DNAT --to 10.0.3.11:80 # Masquerade local subnet iptables -t nat -A POSTROUTING -s 10.0.3.0/16 -j MASQUERADE iptables -A FORWARD -o lxcbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i lxcbr0 -o eth0 -j ACCEPT iptables -A FORWARD -i lxcbr0 -o lo -j ACCEPT

where lxcbr0 is interface in 10.0.3.0/16 subnet and eth0 is interface with public IP addrees.

Improve this answer
1
  • 2
    I've been looking for this for a long time (a couple of half hours)!!! Commented Apr 9, 2018 at 6:34

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.