Iptables DNAT blocking firewall host

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I have a machine where I manage the firewall using UFW. I have setup a few DNAT rules. It works well from the network but not at all from the server itself:



Server IP:



inet 10.0.4.4/23 brd 10.0.5.255 scope global br0


10.0.4.10 in an LXC host running on the same server, networked through a bridged network interface (br0).



/etc/ufw/before.rules:



*nat
:PREROUTING ACCEPT [0:0]

# HTTP
-A PREROUTING -d 10.0.4.4 -p tcp --dport 80 -j DNAT --to 10.0.4.10:80
-A PREROUTING -d 10.0.4.4 -p tcp --dport 443 -j DNAT --to 10.0.4.10:443

COMMIT


I can access the 10.0.4.10 lxc host from the network using the 10.0.4.4 IP, but not from the server itself:



# curl --head http://10.0.4.4
curl: (7) Failed to connect to 10.0.4.4 port 80: Connection refused


But it can access 10.0.4.10 directly:



# curl --head http://10.0.4.10
HTTP/1.1 200 OK


What I have I done wrong ?







share|improve this question























    up vote
    0
    down vote

    favorite












    I have a machine where I manage the firewall using UFW. I have setup a few DNAT rules. It works well from the network but not at all from the server itself:



    Server IP:



    inet 10.0.4.4/23 brd 10.0.5.255 scope global br0


    10.0.4.10 in an LXC host running on the same server, networked through a bridged network interface (br0).



    /etc/ufw/before.rules:



    *nat
    :PREROUTING ACCEPT [0:0]

    # HTTP
    -A PREROUTING -d 10.0.4.4 -p tcp --dport 80 -j DNAT --to 10.0.4.10:80
    -A PREROUTING -d 10.0.4.4 -p tcp --dport 443 -j DNAT --to 10.0.4.10:443

    COMMIT


    I can access the 10.0.4.10 lxc host from the network using the 10.0.4.4 IP, but not from the server itself:



    # curl --head http://10.0.4.4
    curl: (7) Failed to connect to 10.0.4.4 port 80: Connection refused


    But it can access 10.0.4.10 directly:



    # curl --head http://10.0.4.10
    HTTP/1.1 200 OK


    What I have I done wrong ?







    share|improve this question





















      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a machine where I manage the firewall using UFW. I have setup a few DNAT rules. It works well from the network but not at all from the server itself:



      Server IP:



      inet 10.0.4.4/23 brd 10.0.5.255 scope global br0


      10.0.4.10 in an LXC host running on the same server, networked through a bridged network interface (br0).



      /etc/ufw/before.rules:



      *nat
      :PREROUTING ACCEPT [0:0]

      # HTTP
      -A PREROUTING -d 10.0.4.4 -p tcp --dport 80 -j DNAT --to 10.0.4.10:80
      -A PREROUTING -d 10.0.4.4 -p tcp --dport 443 -j DNAT --to 10.0.4.10:443

      COMMIT


      I can access the 10.0.4.10 lxc host from the network using the 10.0.4.4 IP, but not from the server itself:



      # curl --head http://10.0.4.4
      curl: (7) Failed to connect to 10.0.4.4 port 80: Connection refused


      But it can access 10.0.4.10 directly:



      # curl --head http://10.0.4.10
      HTTP/1.1 200 OK


      What I have I done wrong ?







      share|improve this question











      I have a machine where I manage the firewall using UFW. I have setup a few DNAT rules. It works well from the network but not at all from the server itself:



      Server IP:



      inet 10.0.4.4/23 brd 10.0.5.255 scope global br0


      10.0.4.10 in an LXC host running on the same server, networked through a bridged network interface (br0).



      /etc/ufw/before.rules:



      *nat
      :PREROUTING ACCEPT [0:0]

      # HTTP
      -A PREROUTING -d 10.0.4.4 -p tcp --dport 80 -j DNAT --to 10.0.4.10:80
      -A PREROUTING -d 10.0.4.4 -p tcp --dport 443 -j DNAT --to 10.0.4.10:443

      COMMIT


      I can access the 10.0.4.10 lxc host from the network using the 10.0.4.4 IP, but not from the server itself:



      # curl --head http://10.0.4.4
      curl: (7) Failed to connect to 10.0.4.4 port 80: Connection refused


      But it can access 10.0.4.10 directly:



      # curl --head http://10.0.4.10
      HTTP/1.1 200 OK


      What I have I done wrong ?









      share|improve this question










      share|improve this question




      share|improve this question









      asked Jun 22 at 3:39









      Laurent

      1012




      1012

























          active

          oldest

          votes











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );








           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451217%2fiptables-dnat-blocking-firewall-host%23new-answer', 'question_page');

          );

          Post as a guest



































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes










           

          draft saved


          draft discarded


























           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451217%2fiptables-dnat-blocking-firewall-host%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?