Maintaining source IP while forwarding port from one host to another, but there is a small issue
I am using this tunnel approach:
https://superuser.com/a/1357450/972858
to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.
Please help.
linux networking routing port-forwarding iptables
add a comment |
I am using this tunnel approach:
https://superuser.com/a/1357450/972858
to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.
Please help.
linux networking routing port-forwarding iptables
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15
add a comment |
I am using this tunnel approach:
https://superuser.com/a/1357450/972858
to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.
Please help.
linux networking routing port-forwarding iptables
I am using this tunnel approach:
https://superuser.com/a/1357450/972858
to forward a port N from x.x.x.x to y.y.y.y. Its working perfectly and destination y.y.y.y is able to see the actual source IP address. But there is one small issue. x.x.x.x:N can be accessed from everywhere but not from y.y.y.y itself. I am not sure why but I unable to telnet x.x.x.x:N from y.y.y.y.
Please help.
linux networking routing port-forwarding iptables
linux networking routing port-forwarding iptables
asked Dec 14 at 6:49
Sam
81
81
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15
add a comment |
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15
add a comment |
1 Answer
1
active
oldest
votes
This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)
The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.
Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT
rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383488%2fmaintaining-source-ip-while-forwarding-port-from-one-host-to-another-but-there%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)
The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.
Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT
rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
add a comment |
This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)
The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.
Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT
rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
add a comment |
This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)
The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.
Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT
rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.
This doesn't work for the exactly same reason as why port-forwarding within the same LAN doesn't generally work. In other words, it's a hairpin-NAT situation. (Imagine the tunnel as if it were simply a local LAN network.)
The tunnel itself may be working fine – the packet reaches X, gets NATed, and arrives back at Y. However, because Y sees the original sender as being local, the response does not go through X and therefore X cannot undo the NAT. As a result, addresses in the response do not match addresses in the original packet, and Y (as the original initiator) cannot find a matching connection for the response it just received.
Try adding a -t nat -I PREROUTING -d x.x.x.x --dport N -j REDIRECT
rule to iptables to handle this case – it should catch the outgoing packets without having to involve X at all.
answered Dec 14 at 7:31
grawity
232k35490546
232k35490546
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
add a comment |
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
Thanks @grawity I added the following on y.y.y.y: iptables -t nat -A PREROUTING -d x.x.x.x -p tcp --dport 80 -j REDIRECT But no go.
– Sam
Dec 14 at 7:40
1
1
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
iptables -t nat -A OUTPUT -d x.x.x.x -p tcp --dport N -j REDIRECT works but should I be using that instead of PREROUTING ?
– Sam
Dec 14 at 7:50
1
1
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
Ah, yes, for connections initiated by the same system, OUTPUT should be the correct one.
– grawity
Dec 14 at 8:02
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1383488%2fmaintaining-source-ip-while-forwarding-port-from-one-host-to-another-but-there%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Probably the same issue as mentioned: hairpin NAT is necessary.
– grawity
Dec 14 at 7:01
Thanks @grawity for your quick response and your solution to the mentioned question. As I stated, it works beautifully from everywhere except y.y.y.y (destination) cannot telnet the forwarded port N on x.x.x.x. Everywhere -> x.x.x.x:N -> y.y.y.y is working is y.y.y.y is able to see the actual source IP. But if the connection is initiated from y.y.y.y itself: y.y.y.y -> x.x.x.x:N is unable to connect. That is the only issue. Is there a workaround for it? Thanks.
– Sam
Dec 14 at 7:15