Join Log in
Score:0
lion_bash avatar Server

Iptables DNAT rule curl connection refused

us flag
lion_bash

After adding the following DNAT rule I'm getting connection refused when attempting to curl 172.17.1.1:9000/v1/api:

iptables -t nat -I PREROUTING -p tcp --dst 172.17.1.1 --dport 9000 -j DNAT --to-destination 172.12.11.11:8000

I've read this post and this post and seems like for curl we need to add an OUTPUT rule for the loopback? But how do we do this for DNAT rules?

I do have the following rules in place:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
34
0 + 0
Zhivko Zhelev avatar
ng flag
Zhivko Zhelev
do you have other firewalls like ufw? try this ```iptables -P OUTPUT ACCEPT```
0
Reply
lion_bash avatar
us flag
lion_bash
Yes, I have some previous rules in place, the firewall rules are set to deny all traffic and we explicitly allow traffic . Updated the post.
0
Reply
lion_bash avatar
us flag
lion_bash
@ZhivkoZhelev So i tried add `iptables -P OUTPUT ACCEPT` rule but still didn't work. What i did notice was that originally the request was immediately getting the connection refused error message when I curl. However, after adding the following output rule `iptables -t nat -I OUTPUT -p tcp --dst 172.17.1.1 --dport 9000 -j DNAT --to-destination 172.12.11.11:8000` it wouldn't immediately return the error, but it now hangs on `trying 172.17.1.1 ...`. When I curl `172.12.11.11:8000` directly it works as well.
0
Reply
Zhivko Zhelev avatar
ng flag
Zhivko Zhelev
iptables also use order convention, so try removing the allowing rule now and set it before redirection rule using this ```--set-counters x``` x is place number
0
Reply
lion_bash avatar
us flag
lion_bash
Understood that is why I used `-I` for inserting, that should insert the firewall rule to the top and allow the rule to get hit first right? Which Allow rule did you want to remove `iptables -P OUTPUT ACCEPT` this one?
0
Reply
Zhivko Zhelev avatar
ng flag
Zhivko Zhelev
I assume that if you remove these 3 dropping rules your request will work, but first it needs to be accepted and I see you accepting only on loopback interface. So my suggestion is to try to arrange them properly and place the accept and redirect rule in upper position.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.