DNAT lo->eth0

Posted on 2007-09-30
Last Modified: 2008-01-09
I have an Oracle Express server at and I want to make it appear to be on localhost.

I did the following:

  iptables -t nat -A PREROUTING -p tcp --dport 1521 -i lo -j DNAT  --to

Here is is:
rob@slippy:~$ sudo iptables -L -t nat
target     prot opt source               destination        
DNAT       tcp  --  anywhere             anywhere            tcp
dpt:1521 to:

target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

However, I can't connect to 1521 on localhost.

The interface is the loopback driver. Do I need to do something to specfy the fact that the destination is on the eth0 interface, or have I got the wrong end of the stick about DNAT?
Question by:rstaveley
    LVL 19

    Accepted Solution

    I used to see a module on the kernel that allowed me to do DNAT for localhost, but I was unable to find it. without that special module I never got DNAT to localhost to work.

    what you can do is this  (taken from other web page):

    As I suggested to someone else having the same problem as you, instead of using a DNAT rule you may use a TCP "proxy" such as stone (<>, supports UDP too) or 6tunnel (<>, originally designed to relay connections between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens on the local port and relays the local connexions to the remote server.

    LVL 43

    Assisted Solution

    You have to use forwarding. if packet arrives via lo interface it will not travel PRE/POSTROUTING chains of nat table. Sorry.
    You can do traffic forwarding with xinetd, which is probably installed there.
    LVL 17

    Author Comment

    Xinetd sounds good. I'll install it. I had no idea you could do forwarding with it.
    LVL 17

    Author Comment

    Xinetd was a snap :-)

    Expert Comment

    Use stone:
    apt-get install stone
    stone -D
    LVL 17

    Author Comment

    Yes that was Redimido's suggestion in http:#19987338. ravenpl's Xinetd http:#19987380 worked nicely for me, though and was more familiar territory. I suspect that it is more efficient than using a proxy too.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Suggested Solutions

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now