1

After adding the following DNAT rule I'm getting connection refused when attempting to curl 172.17.1.1:9000/v1/api:

iptables -t nat -I PREROUTING -p tcp --dst 172.17.1.1 --dport 9000 -j DNAT --to-destination 172.12.11.11:8000

I've read this post and this post and seems like for curl we need to add an OUTPUT rule for the loopback? But how do we do this for DNAT rules?

I do have the following rules in place:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
lion_bash
  • 113
  • 1
  • 5
  • do you have other firewalls like ufw? try this ```iptables -P OUTPUT ACCEPT``` – Zhivko Zhelev Mar 23 '22 at 11:47
  • Yes, I have some previous rules in place, the firewall rules are set to deny all traffic and we explicitly allow traffic . Updated the post. – lion_bash Mar 23 '22 at 16:16
  • @ZhivkoZhelev So i tried add `iptables -P OUTPUT ACCEPT` rule but still didn't work. What i did notice was that originally the request was immediately getting the connection refused error message when I curl. However, after adding the following output rule `iptables -t nat -I OUTPUT -p tcp --dst 172.17.1.1 --dport 9000 -j DNAT --to-destination 172.12.11.11:8000` it wouldn't immediately return the error, but it now hangs on `trying 172.17.1.1 ...`. When I curl `172.12.11.11:8000` directly it works as well. – lion_bash Mar 24 '22 at 08:46
  • iptables also use order convention, so try removing the allowing rule now and set it before redirection rule using this ```--set-counters x``` x is place number – Zhivko Zhelev Mar 24 '22 at 10:11
  • Understood that is why I used `-I` for inserting, that should insert the firewall rule to the top and allow the rule to get hit first right? Which Allow rule did you want to remove `iptables -P OUTPUT ACCEPT` this one? – lion_bash Mar 24 '22 at 10:38
  • I assume that if you remove these 3 dropping rules your request will work, but first it needs to be accepted and I see you accepting only on loopback interface. So my suggestion is to try to arrange them properly and place the accept and redirect rule in upper position. – Zhivko Zhelev Mar 25 '22 at 11:22

0 Answers0