I have an (OpenWRT-powered) router with a port forwarding (DNAT) rule that forwards incoming HTTP requests to a dedicated server box inside my LAN. Here's the relevant configuration bits.
Addresses:
# ip -4 addr show br-lan
5: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 10.196.254.1/24 brd 10.196.254.255 scope global br-lan
valid_lft forever preferred_lft forever
# ip -4 addr show eth0.2
7: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
inet 95.84.164.43/22 brd 95.84.167.255 scope global eth0.2
valid_lft forever preferred_lft forever
DNAT rules (edited for brevity, OpenWRT uses custom chains):
# iptables -S -t nat | grep http@stratofortress
-A POSTROUTING -o br-lan -s 10.196.254.0/24 -d 10.196.254.2/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress (reflection)" -j SNAT --to-source 10.196.254.1
-A PREROUTING -i br-lan -s 10.196.254.0/24 -d 95.84.164.43/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress (reflection)" -j DNAT --to-destination 10.196.254.2:80
-A PREROUTING -i eth0.2 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: http@stratofortress" -j DNAT --to-destination 10.196.254.2:80
These rules work equally well for requests originating from Internet and from the LAN (thanks to automagic "NAT reflection" support by OpenWRT).
However, these rules don't work if I try to make a request from the router itself to its WAN address:
# nslookup intelfx.name
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: intelfx.name
Address 1: 95.84.164.43
# curl https://intelfx.name
curl: (7) Failed to connect to intelfx.name port 443: Connection refused
How can I catch packets coming from the router to the router's WAN address (95.84.164.43) and DNAT them to a machine inside LAN (10.196.254.2)?
