We help IT Professionals succeed at work.

DNAT lo->eth0

rstaveley
rstaveley asked
on
I have an Oracle Express server at 192.168.2.203 and I want to make it appear to be on localhost.

I did the following:

  iptables -t nat -A PREROUTING -p tcp --dport 1521 -i lo -j DNAT  --to 192.168.2.203:1521

Here is is:
--------8<--------
rob@slippy:~$ sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        
DNAT       tcp  --  anywhere             anywhere            tcp
dpt:1521 to:192.168.2.203:1521

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
--------8<--------

However, I can't connect to 1521 on localhost.

The interface is the loopback driver. Do I need to do something to specfy the fact that the destination is on the eth0 interface, or have I got the wrong end of the stick about DNAT?
Comment
Watch Question

Solution Architect
Commented:
I used to see a module on the kernel that allowed me to do DNAT for localhost, but I was unable to find it. without that special module I never got DNAT to localhost to work.

what you can do is this  (taken from other web page):

As I suggested to someone else having the same problem as you, instead of using a DNAT rule you may use a TCP "proxy" such as stone (<http://www.gcd.org/sengoku/stone/>, supports UDP too) or 6tunnel (<http://toxygen.net/6tunnel/>, originally designed to relay connections between IPv6 and IPv4 hosts but works between IPv4 hosts too) which listens on the local port and relays the local connexions to the remote server.


Top Expert 2005
Commented:
You have to use forwarding. if packet arrives via lo interface it will not travel PRE/POSTROUTING chains of nat table. Sorry.
You can do traffic forwarding with xinetd, which is probably installed there. http://www.collaborium.org/onsite/benin/lectures/christian/security/SLIDES/img36.html

Author

Commented:
Xinetd sounds good. I'll install it. I had no idea you could do forwarding with it.

Author

Commented:
Xinetd was a snap :-)
Use stone:
apt-get install stone
stone -D  127.0.0.1:1521 0.0.0.0:1521

Author

Commented:
Yes that was Redimido's suggestion in http:#19987338. ravenpl's Xinetd http:#19987380 worked nicely for me, though and was more familiar territory. I suspect that it is more efficient than using a proxy too.