I can connect to my server but my server can't connect to itself

kindlyfire · March 4, 2018, 8:20pm

Hello,

I have my iptables configured like this:

iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.1.232.241
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -d 10.1.232.241 -j SNAT --to-source 54.37.85.217
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 10.1.232.241
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -d 10.1.232.241 -j SNAT --to-source 54.37.85.217

In short, any packet arriving at the port 80 and 443 of my dedicated server gets forwarded to my proxy container. This works like a charm, all my services are running fine, I can connect to the port 80 and 443. The problem is that my server cannot connect to itself, packets sent to 127.0.0.1 do not get forwarded ?

Could somebody help me identify my problem and help solve it ?

dabeegmon · March 4, 2018, 9:06pm

I’m definitely NOT one of the gurus here (just a user trying to learn/understand) so if my comments are later severely modified by someone who ‘knows’ - - - well sorry !

Do you have any of the network type analysis packages installed?

$ netstat -naltp
The results of which would likely be useful in diagnosing the issue and an old standby:

$ ifconfig

should also give some useful information, so - - - please?

kindlyfire · March 4, 2018, 9:23pm

Problem solved. (edit: it isn’t, see next post)

Packets comming from the server do not pass through PREROUTING but through OUTPUT. These commands make it work:

iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 10.1.232.241:80 
iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination 10.1.232.241:443

kindlyfire · March 4, 2018, 9:51pm

Actually I was wrong, it doesn’t work entirely. The server can now connect to itself but the packets from my containers to my server do not get forwarded to the proxy container. This is the setup I used to forward from my containers (using the lxdbr0 interface):

iptables -t nat -A PREROUTING -i lxdbr0 -p tcp --dport 443 -j DNAT --to-destination 10.1.232.241:443
iptables -t nat -A PREROUTING -i lxdbr0 -p tcp --dport 80 -j DNAT --to-destination 10.1.232.241:80

My packets now get forwarded correctly but my containers are unable to get any packets back ?

kindlyfire · March 4, 2018, 10:06pm

About the commands you asked me to run:

$ netstat -naltp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2338/sshd
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2336/named
tcp        0      0 10.1.232.1:53           0.0.0.0:*               LISTEN      2501/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2336/named
tcp        0      0 54.37.85.217:49101      194.146.106.46:53       TIME_WAIT   -
tcp        0    188 54.37.85.217:22         81.240.187.71:54531     ESTABLISHED 14034/6
tcp6       0      0 :::22                   :::*                    LISTEN      2338/sshd
tcp6       0      0 ::1:953                 :::*                    LISTEN      2336/named
tcp6       0      0 fd42:c46e:6167:1344::53 :::*                    LISTEN      2501/dnsmasq
tcp6       0      0 fe80::3840:29ff:fef3:53 :::*                    LISTEN      2501/dnsmasq
tcp6       0      0 ::1:53                  :::*                    LISTEN      2336/named

$ ifconfig
eth0      Link encap:Ethernet  HWaddr a4:bf:01:28:76:b8
          inet addr:54.37.85.217  Bcast:54.37.85.255  Mask:255.255.255.0
          inet6 addr: 2001:41d0:303:4dd9::/64 Scope:Global
          inet6 addr: fe80::a6bf:1ff:fe28:76b8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28490090 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14889580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34157590130 (34.1 GB)  TX bytes:7234030821 (7.2 GB)
          Memory:a2b00000-a2bfffff

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:267384 errors:0 dropped:0 overruns:0 frame:0
          TX packets:267384 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:32959019 (32.9 MB)  TX bytes:32959019 (32.9 MB)

lxdbr0    Link encap:Ethernet  HWaddr fe:3b:94:46:d3:4e
          inet addr:10.1.232.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fd42:c46e:6167:1344::1/64 Scope:Global
          inet6 addr: fe80::3840:29ff:fef3:4e94/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:11431304 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12266882 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6716428195 (6.7 GB)  TX bytes:33109697822 (33.1 GB)

# ... a bunch of veth* interfaces

dabeegmon · March 4, 2018, 10:22pm

I wish I knew more (still very much a learner at this stuff!) but reading the output you have directed localhost (your 127.0.0.1 connection) to connect to specific tasks. That means that your localhost:53 is talking to your container (I think) and localhost:953 is talking to something else.

My idea is that you have directed localhost to do these two things for you - - - and it is. What you have taken away from localhost is its ‘loop back’ abilities. Here is where I’m going to stop with specifics but I’m thinking if you specify localhost with no specific port your ability to do a loop back should reappear. If that works would you please say (I would appreciate knowing that that worked - - - grin!).

kindlyfire · March 4, 2018, 10:31pm

I posted a question on Super User about this, maybe somebody with some more iptables experience will see it: https://superuser.com/questions/1300421/requests-from-container-to-another-container-do-not-work

simos · March 14, 2018, 7:56pm

When I want to create iptables rules for forwarding, I do them like this:

PORT=your_network_port \
LXD_HOST_IP=your_lxd_public_ip \
CONTAINER_IP=your_container_ip \
HOST_NETWORK_INTERFACE=eth0 \
\
sudo -E bash -c 'iptables -t nat -I PREROUTING \
-i $HOST_NETWORK_INTERFACE -p TCP -d $LXD_HOST_IP --dport $PORT -j DNAT \
--to-destination $CONTAINER_IP:$PORT \
-m comment --comment "forward to the proxy container"'

However, when LXD 3.0 is released in a month or so (with Ubuntu 18.04), it would be possible to use LXD instead of iptables. LXD 3.0 has a proxy device which is different from iptables, and I think it will be able to work just as you are expecting.