Why isn't DNAT happening for host-originated packets?

Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

Near as I can tell, packets originating on the host are skipping the
nat:PREROUTING rule...  This is before routing, so wouldn't externally-
generated packets and internally-generated packets follow the exact
same path?


Background:

I'm trying to forward some ports on the host to a virtual machine.
This is on libvirt's default masquerading/bridged network setup.

Let's add some rules to forward the port with DNAT:

  iptables -t nat -I PREROUTING -p tcp -d 173.233.67.174 \
    --dport 25 -j DNAT --to 192.168.122.10:25
  iptables -t filter -I FORWARD -p tcp --dport 25 -j ACCEPT

This almost works...  Traffic from outside is great.  However, traffic
originating on the host fails.  It doesn't get NATed, it just terminates
on the host.


Here's what I think is happening:

  - The packet originates on the host: 1.2.3.4:55555 -> 1.2.3.4:25
  - It runs through the output chains unmodified. Good.
  - It reappears as input.

Now I would expect that the nat:PREROUTING rule would fire, DNATing
the packet out to the VM.

However, that never happens.  Traffic from outside does hit nat:PREROUTING,
yes, but traffic originating on the host never does.


To test this, I copied the nat:PREROUTING rule to the nat:OUTPUT chain,
so the packets are DNATed in the output stage instead of the input:

  iptables -t nat -I OUTPUT p tcp -d 173.233.67.174 \
    --dport 25 -j DNAT --to-destination 192.168.122.10:25

And everything works!


Here's the raw data: https://gist.github.com/bronson/6fa02c4515f95b104ec1

Thanks for any insight.

    - Scott

Re: Why isn't DNAT happening for host-originated packets?

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Look at the packet flow graph. That's fairly up to date (but is missing the new *nat INPUT chain).
http://inai.de/images/nf-packet-flow.png

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWYMzPAAoJEDg5KY9j7GZYKPsP/189soz785huEAVPb2vpaSEA
QOGGJ0N2+amRccHSiMmDE/fnI4MRCUUWbiDS0PBJBSC0aKjhDkA7JRej8oWJaJYx
Mjw6VhGmpwRHG5x1bWPcrj+Zx3EXYNOkVhZwu/SPgnagnUMtcN7y2SYtNwlArlAA
twZhoKaVwB75NLqMzcOPNe68kyCyoE7wQNZcczR1HDURs6lWqQh7IyaRKQbX98aa
J1oC6I5e4fqET90PcK2OC1txTRmdyPCCrLqU0yrceV1nO0QEQx+GSIsg+sz5dl9f
Beno5AxzNEaeb0Bifq/PbmwKdTY2jC7QM+4/efwt4jXq/kkiV+VHu91LBbwEFPuM
0JLu9FVpSkXO+e8yVO2KoURYWBN0vKPKvs1qxf5Q37fFiDXmpKlrDS24ZE32xyja
suBREsiAfz7z97NED/0pDQhU1Cf3TJBXHp0kWJSPRZAg7GYI1lnEkMutkD61wVj+
/pNCO7MlLZ2ls8qZZpn7BJW8KoNt5N50DmJ/37zCD3kRHiHlG5OCX4vj2EcssRdz
aQ+HW76S0Bqg+svikkPmBXQvLemh99/izt0DZyJKfC8JpVJhDDj0BallpD4JuZTi
5J2+9dmdgY7js+ATAEvSjT0zj/l3M8sxuqi+NSIWan8eHzWxRm8SRCIl5uQdK8f3
rL/oXXhfJCy8ZRzNSp2T
=jtdy
-----END PGP SIGNATURE-----

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

That's an awesome graph, but all (non-tap) paths pass through
nat:PREROUTING, don't they?

Now I'm even more confused why host-generated packets seem to skip it.  :)

On Thu, Dec 3, 2015 at 3:14 PM, Noel Kuntze <noel@familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Look at the packet flow graph. That's fairly up to date (but is missing the new *nat INPUT chain).
> http://inai.de/images/nf-packet-flow.png
>
> - --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWYMzPAAoJEDg5KY9j7GZYKPsP/189soz785huEAVPb2vpaSEA
> QOGGJ0N2+amRccHSiMmDE/fnI4MRCUUWbiDS0PBJBSC0aKjhDkA7JRej8oWJaJYx
> Mjw6VhGmpwRHG5x1bWPcrj+Zx3EXYNOkVhZwu/SPgnagnUMtcN7y2SYtNwlArlAA
> twZhoKaVwB75NLqMzcOPNe68kyCyoE7wQNZcczR1HDURs6lWqQh7IyaRKQbX98aa
> J1oC6I5e4fqET90PcK2OC1txTRmdyPCCrLqU0yrceV1nO0QEQx+GSIsg+sz5dl9f
> Beno5AxzNEaeb0Bifq/PbmwKdTY2jC7QM+4/efwt4jXq/kkiV+VHu91LBbwEFPuM
> 0JLu9FVpSkXO+e8yVO2KoURYWBN0vKPKvs1qxf5Q37fFiDXmpKlrDS24ZE32xyja
> suBREsiAfz7z97NED/0pDQhU1Cf3TJBXHp0kWJSPRZAg7GYI1lnEkMutkD61wVj+
> /pNCO7MlLZ2ls8qZZpn7BJW8KoNt5N50DmJ/37zCD3kRHiHlG5OCX4vj2EcssRdz
> aQ+HW76S0Bqg+svikkPmBXQvLemh99/izt0DZyJKfC8JpVJhDDj0BallpD4JuZTi
> 5J2+9dmdgY7js+ATAEvSjT0zj/l3M8sxuqi+NSIWan8eHzWxRm8SRCIl5uQdK8f3
> rL/oXXhfJCy8ZRzNSp2T
> =jtdy
> -----END PGP SIGNATURE-----
>

Re: Why isn't DNAT happening for host-originated packets?

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

No.
Packets from the host never pass through PREROUTING anything. How could they?
They originate in the middle top of the graph. They only go right, they never go
left, where the PREROUTING chains are.
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWYNbQAAoJEDg5KY9j7GZYAAYQAI38bZ1eiSjGnsUsjYWeyvCi
i3DqZQcuzCBJgnYBCXH+fo0xsebaqiwkHVFHjqOo6esbCW8Bx5sF/yrae+QMxMjM
9jy35mi77EJx3d9FCBut/uTLR6ERnfN8ahdfMrphlizKcfry+a5dfYVMhSYm0DDb
uLe2sXikSVoeflCMS+mM9OTEewy+BNpkEibnbbFGtt/N1jQe0VB2nYL69HBbakz3
9wQyWxM9d5ZzrKXA6b1GTxodbftRF9acGQSJgf8KQT8XzBZMAKxSJBVdKDex2kbj
IzpRB8ZX47psGYRm8FpOeHENp2tRFPIn761Wmk3PwsGNS1i2MOWcHtTNisDb8ECE
aI88HiQDJu2dl6q29Ql4DYwm3ZJGdEmzG8dIUs5H8DFHfBC/J0XWcjdJUlYSxK1g
JYQppaaOoMF8O5xnmVJRor4j3E2tqDoSDT0fyfJjI4a4+TggvnYFaIWvsLyyQlaO
WB383b5gtlHevHHY2ULtyx9zj6LAtQyAQv3b90NLBbTJEKHOvoznojVd4nmySnbB
k61jvN0CgvedsD/iIViahSVcqP33LVcWabHUH927ffjnfQSE22z4P628kUfdpPuu
Yn8ur1ThQVjnv51sD4+eneInKPLin0wT0PEjjmhzD5nTHGvwXxWAb0IBfZIQTE4f
4aXU6styceOAm4yKpXa8
=ubDY
-----END PGP SIGNATURE-----

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

> They originate in the middle top of the graph. They only go right, they never go
> left, where the PREROUTING chains are.

Ah, I was naively starting all packets at the (start) box.  That makes
a lot more sense.  Thank you!

My workaround (copy all nat:PREROUTING rules bit-for-bit to
nat:OUTPUT) is pretty skanky though...  Does anyone have a suggestion
for a better way to solve this?

Thanks again!

     - Scott

Re: Why isn't DNAT happening for host-originated packets?

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That's not needed.
Just create a custom chain in the nat table and redirect the traffic from
OUTPUT and POSTROUTING into it.
- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWYN7yAAoJEDg5KY9j7GZY8tcP/03sCHLogLqbGOgh338JCSPX
BpbhuYyBb+NyrnpuOM97ZIQmOFAeT1mS5paEvPdF4lDp7eZuyQuvAjafKt9ypjXH
kGDzE9vsvcDPtU5Db9Kf9qYnAOnm7mEE64oWNXzaOO+Ul+SdTFz19N3yjFjhXLsm
Mxn8HdYyc4dapuhKu/WYyUuvbOzawE6mtZHzAEYa5EK2nLYY/K2hCB+QSLnoI69p
vtSVUsL2DXcfqbhAwfm0KCZjkQEwvtfuWwsfCVCI0YA4TuVv9qSLUNIUu5qGJRkA
FkuCniVG6YjI7agcxUrURdnAQFEwoo82EfteXJYjJzLsQuIRhhjjxYIUt8FKk31o
MApnmEWPi3cUH0twfFyukzlOUsdObDI5+xqAq1cpokema/Ttf06wpko9wduK5zEm
iZWnmaBTsz7iOn/j/PZOziH3UZh8VEKOfihPqDsm4YKxUApStEcev70WVBSLUem2
Vy0Nlp2Ys6gR3YC4XuHAgKg9f8xcAPGSvseA6wOAI2sW4FQIOM8RZtpOdKzl6Std
OMTxtEt2M3jroksc+E5uz3eZ1yiHuRvpVT0apJzuzbtaRaa6OL+L38dmucFusbi9
L0q589Yfm7MnncsnstiAcvxpdbgPoeF5GQbAhdpAcHPTJT+LAPO1L6BIB0CR5YJC
4KIF52rBiC885loxEUgD
=+CR2
-----END PGP SIGNATURE-----

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

Actually, the inbound path still looks strange to me.  Here's a
concrete example:

A packet originates on the host and travels outbound without
modification [2], exactly as you say.

Now, because the source and destination are the same, it's returning inbound.

   The packet:   src=173.233.67.174:59748   dst=173.233.67.174:25

According to my trace [1], here the path it takes:

   raw:PREROUTING
   mangle:PREROUTING
   mangle:INPUT
   filter:INPUT
   local process

However, the diagram shows nat:PREROUTING between mangle:PREROUTING
and mangle:INPUT.

Why doesn't my packet do that?

Thanks again, this has been very enlightening.

     - Scott


[1] the inbound path doesn't match the diagram, starting at "(start)":

Dec 3 14:03:43 ex kernel: TRACE: raw:PREROUTING:rule:2 IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=173.233.67.174
DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF
PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00
SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307)
Dec 3 14:03:43 ex kernel: TRACE: raw:PREROUTING:policy:3 IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=173.233.67.174
DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF
PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00
SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307)
Dec 3 14:03:43 ex kernel: TRACE: mangle:PREROUTING:policy:1 IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=173.233.67.174
DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF
PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00
SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307)
Dec 3 14:03:43 ex kernel: TRACE: mangle:INPUT:policy:1 IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=173.233.67.174
DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF
PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00
SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307)
Dec 3 14:03:43 ex kernel: TRACE: filter:INPUT:policy:5 IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=173.233.67.174
DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=63334 DF
PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0 WINDOW=43690 RES=0x00
SYN URGP=0 OPT (0204FFD70402080A027F0D520000000001030307)



[2]: the outbound path exactly matches the diagram, starting at "local process":

Dec 3 14:03:43 ex kernel: TRACE: raw:OUTPUT:rule:1 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: raw:OUTPUT:policy:3 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: mangle:OUTPUT:policy:1 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: nat:OUTPUT:policy:1 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: filter:OUTPUT:policy:2 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: mangle:POSTROUTING:policy:2 IN=
OUT=lo SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00
TTL=64 ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0
Dec 3 14:03:43 ex kernel: TRACE: nat:POSTROUTING:policy:6 IN= OUT=lo
SRC=173.233.67.174 DST=173.233.67.174 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=63334 DF PROTO=TCP SPT=59748 DPT=25 SEQ=2002582068 ACK=0
WINDOW=43690 RES=0x00 SYN URGP=0 OPT
(0204FFD70402080A027F0D520000000001030307) UID=0 GID=0

Re: Why isn't DNAT happening for host-originated packets?

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Traffic going over loopback seems to be handled in a special way
with the TRACE target. There's probably no (in attritubes of the
internal data structure speaking) lossy conversion
to an Ethernet frame (or IP packet) going on.
That won't happen for traffic coming from another box.

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWYN/HAAoJEDg5KY9j7GZYO8sQAJLP6ragMp/0NGAwYyWs7QdG
pePBmNhRKFXFaJdBdR3pGZ8UMO0FfpCdBrEavZpD1HC2YUM2d0UGe3grENV+KkoN
v5h5SQnBBWDcUJVpJbOwrrO4Dj0zYY3XQm9pfqx/w22hxZtxT828ze7pt4y40hOr
UsNTKGpMjZ3GVph/PIlwlvFZ7enTykxn1ZQnef8uTlT1ItqUsMivna5TkjAvhRAw
EJJqoGgrW26Kol1y4cscGsLDk9yQNrNB9QrFi++i1uIQlwqYPfYjIO6z01oyOhn1
2d7/l4JLmw7uFql1VQ10lkem/pWdjx3JA2TIp6Hq3apmeXw5LK+6bRQ6/E0gze4n
O/CZ7DCcPL82Jqwvjwjz3/AJ94qCPekut4uXSoXQMtkXij3GbMFU4T+sfgUZA7YP
SFVtCRLufFId9uyD2i1k53mq13pz7zUkvBl+vtLNlNYwzNkCkAFiugibTKsP3HnV
xLJ+sH1FzOmhUmKUHtmPvIPI0zENgLCnZp9IRhviNMOOQrhgNg5twRDQ+GVeRJJj
QzFWIETamy3PbVVOWLnsOrbaFAITGLxf17vyV8p0CAk5ZGkhBJvbS7U8LS+eRFSU
YlR3Gi+c0nAn7OWVBm5U8yPJytBhYHb40+xPqaM0ku4KhVwYj/0ndkCn6qEl+3Vu
u8lpwUxLLeNKP4xZSWJ5
=5K7a
-----END PGP SIGNATURE-----

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

> Traffic going over loopback seems to be handled in a special way
> with the TRACE target.

It's considered looped back even though there's never any 127.0.0.1 addresses?

Ah well, I was afraid it would be something like that.  Your suggested
workaround sounds fine.

This behavior feels weird though.  Should I update the diagram with a
dotted line conditionally skipping nat:PREROUTING?

Re: Why isn't DNAT happening for host-originated packets?

[Noel Kuntze]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Well, traffic from yourself to yourself always goes over loopback.
Look at the output of `ip route get <your IP>`.
Don't bother editing the graphic. There's a bunch of missing stuff.
There'll be something in the pipe to fix the graphic soon.

- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWYOIaAAoJEDg5KY9j7GZYlP4P/064e7c32AKHxrpi/RnQBN3H
HDJgpkVaVLpiU0pAca1d9O9srNgcX6+U4aMqp3f57MwDPrP4dY7QLumYZEcgqyH2
2Ousj5raMaRhKHhzqq3WlqTp7T/8W/SwTYxzO2HngqFGA5QGPSzsOIN/Ms+38fNT
obZYOJ9NzTKVuBrfjfN1H5R2n/1vyKNBz9PelM6ZCHMUwabkTo+y5UKa6X2Rz1GC
FuKoDtpCAQnvolO/7Tv/NTc2zUQIGTySF/mASde47nfbAPRQ7YCWgtJV6hxhEnYv
Z01nTsLD1m8iqu0bHwNC6EjrVJu/QOc3V2yhK8l0ZzhpbhGoFVOQk6oWOaByYJQ9
mGaYTM6OIdj/FCh7FqaOqWsR3p0/QYXmtBCoTwOerLtEJazlX1UF+ve4Q7GhoXnI
2areMnZ5etvgWJDVfVBS8ogh25mgkdIMq0SpkkE8MjOqKU4Uyjlw5ns91m8YYdCi
8LC5i3F+WTs/g8tFAiE2FR03ZtXv7uuHdLyf1yZ7rUH8SdOr0wBZ4V0TFTfRDrfU
m5n66tULf0djY4tiQy671rYXdTFyJqIZrX81ksy1sJvaQslp1vYp/Oa1U1pNQtef
dcQ9PgXALgWm3dOPkHUWg1VbBDmxAGtsBKCktBOacEIWontqHMonaT88G5zMuaFF
VnCBiSQAu2yxL755iGHl
=Ll34
-----END PGP SIGNATURE-----

Re: Why isn't DNAT happening for host-originated packets?

[Pascal Hambourg]

Hello,

Scott Bronson a écrit :
>> Traffic going over loopback seems to be handled in a special way
>> with the TRACE target.

It's not handled specially /per se/.
It's a side effect of how conntrack and NAT work. The conntrack confirm
takes place at the end of POSTROUTING, and no new NAT rule can be
applied on a confirmed connection.

The same applies to packets belonging to an established connection :
they all skip the nat chains.

The special thing in the loopback path is that there is no need for an
input routing decision after PREROUTING. So, what would happen if you
could actually DNAT the packet ?

> It's considered looped back even though there's never any 127.0.0.1 addresses?

127.0.0.0/8 is reserved for loopback, but loopback is not reserved for
127.0.0.0/8. Any address assigned to a local interface is considered
local. Loopback traffic is all that goes through a loopback interface.
Check your logs : IN=lo, OUT=lo.

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

On Sat, Dec 5, 2015 at 2:13 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> It's not handled specially /per se/.
> It's a side effect of how conntrack and NAT work. The conntrack confirm
> takes place at the end of POSTROUTING, and no new NAT rule can be
> applied on a confirmed connection.
>
> The same applies to packets belonging to an established connection :
> they all skip the nat chains.

That makes sense (assuming PREROUTING above).  Thanks, this seems
way less arbitrary.


> The special thing in the loopback path is that there is no need for an
> input routing decision after PREROUTING. So, what would happen if you
> could actually DNAT the packet ?

I would like to change its destination, then have the routing decision after
PREROUTING send the packet somewhere else.

Just because it arrived local doesn't mean I want it to stay local!

But that's no big deal.  I'm making the PREROUTING+OUTPUT
chain modifications now, everything looks OK to me.

Re: Why isn't DNAT happening for host-originated packets?

[Scott Bronson]

Finally got a chance to code up this fix:

https://github.com/bronson/libvirt-hook-qemu/tree/hostfix
https://github.com/bronson/libvirt-hook-qemu/blob/hostfix/qemu#L67-L95

Works great.  Thanks Noel and Pascal.  Now I need to work on the
disappearing packet.

On Mon, Dec 7, 2015 at 4:53 PM, Scott Bronson <bronson@rinspin.com> wrote:
> On Sat, Dec 5, 2015 at 2:13 AM, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>> It's not handled specially /per se/.
>> It's a side effect of how conntrack and NAT work. The conntrack confirm
>> takes place at the end of POSTROUTING, and no new NAT rule can be
>> applied on a confirmed connection.
>>
>> The same applies to packets belonging to an established connection :
>> they all skip the nat chains.
>
> That makes sense (assuming PREROUTING above).  Thanks, this seems
> way less arbitrary.
>
>
>> The special thing in the loopback path is that there is no need for an
>> input routing decision after PREROUTING. So, what would happen if you
>> could actually DNAT the packet ?
>
> I would like to change its destination, then have the routing decision after
> PREROUTING send the packet somewhere else.
>
> Just because it arrived local doesn't mean I want it to stay local!
>
> But that's no big deal.  I'm making the PREROUTING+OUTPUT
> chain modifications now, everything looks OK to me.