Maintaining source IP while forwarding port from one host to another, but there is a small issue












0














I am using this tunnel approach:



https://superuser.com/a/1357450/972858



to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.



Please help.










share|improve this question






















  • Probably the same issue as mentioned: hairpin NAT is necessary.
    – grawity
    Dec 14 at 7:01










  • Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
    – Sam
    Dec 14 at 7:15


















0














I am using this tunnel approach:



https://superuser.com/a/1357450/972858



to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.



Please help.










share|improve this question






















  • Probably the same issue as mentioned: hairpin NAT is necessary.
    – grawity
    Dec 14 at 7:01










  • Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
    – Sam
    Dec 14 at 7:15
















0












0








0







I am using this tunnel approach:



https://superuser.com/a/1357450/972858



to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.



Please help.










share|improve this question













I am using this tunnel approach:



https://superuser.com/a/1357450/972858



to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.



Please help.







linux networking routing port-forwarding iptables






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 14 at 6:49









Sam

81




81












  • Probably the same issue as mentioned: hairpin NAT is necessary.
    – grawity
    Dec 14 at 7:01










  • Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
    – Sam
    Dec 14 at 7:15




















  • Probably the same issue as mentioned: hairpin NAT is necessary.
    – grawity
    Dec 14 at 7:01










  • Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
    – Sam
    Dec 14 at 7:15


















Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01




Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01












Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15






Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15












1 Answer
1






active

oldest

votes


















1














This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)



The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.



Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.






share|improve this answer





















  • Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
    – Sam
    Dec 14 at 7:40








  • 1




    iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
    – Sam
    Dec 14 at 7:50






  • 1




    Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
    – grawity
    Dec 14 at 8:02











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383488%2fmaintaining-source-ip-while-forwarding-port-from-one-host-to-another-but-there%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)



The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.



Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.






share|improve this answer





















  • Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
    – Sam
    Dec 14 at 7:40








  • 1




    iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
    – Sam
    Dec 14 at 7:50






  • 1




    Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
    – grawity
    Dec 14 at 8:02
















1














This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)



The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.



Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.






share|improve this answer





















  • Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
    – Sam
    Dec 14 at 7:40








  • 1




    iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
    – Sam
    Dec 14 at 7:50






  • 1




    Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
    – grawity
    Dec 14 at 8:02














1












1








1






This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)



The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.



Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.






share|improve this answer












This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)



The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.



Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.







share|improve this answer












share|improve this answer



share|improve this answer










answered Dec 14 at 7:31









grawity

232k35490546




232k35490546












  • Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
    – Sam
    Dec 14 at 7:40








  • 1




    iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
    – Sam
    Dec 14 at 7:50






  • 1




    Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
    – grawity
    Dec 14 at 8:02


















  • Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
    – Sam
    Dec 14 at 7:40








  • 1




    iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
    – Sam
    Dec 14 at 7:50






  • 1




    Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
    – grawity
    Dec 14 at 8:02
















Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40






Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40






1




1




iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50




iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50




1




1




Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02




Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383488%2fmaintaining-source-ip-while-forwarding-port-from-one-host-to-another-but-there%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Mangá

Eduardo VII do Reino Unido