Skip to main content
Super User

Return to Answer

Bounty Ended with 50 reputation awarded by Lars
added command for separate rule
Source Link
edit approved Sep 28, 2016 at 12:42
Lars
edit approved Sep 28, 2016 at 12:42
Lars
  • 439
  • 1
  • 5
  • 12

What you need is so called NAT hairpinning (aka NAT loopback, NAT reflection):

NAT loopback, [...] is a feature in many consumer routers which permits the access of a service via the public IP address from inside the local network.

Why is it not working? The IPTables DNAT rule you provided in your question specifies an incoming interface this rule should apply to: -i eth0. Your traffic isn’t coming from eth0 however, but some virtual network interface or whatever. Just removing this restriction to eth0 may be sufficient to make it work.

Alternatively, a separate rule could be added to lxcbr0:

iptables -t nat -A PREROUTING -i lxcbr0 -p tcp --dport 443 \
    --destination 80.x.x.x -j DNAT --to 10.0.3.100:443

What you need is so called NAT hairpinning (aka NAT loopback, NAT reflection):

NAT loopback, [...] is a feature in many consumer routers which permits the access of a service via the public IP address from inside the local network.

Why is it not working? The IPTables DNAT rule you provided in your question specifies an incoming interface this rule should apply to: -i eth0. Your traffic isn’t coming from eth0 however, but some virtual network interface or whatever. Just removing this restriction to eth0 may be sufficient to make it work.

What you need is so called NAT hairpinning (aka NAT loopback, NAT reflection):

NAT loopback, [...] is a feature in many consumer routers which permits the access of a service via the public IP address from inside the local network.

Why is it not working? The IPTables DNAT rule you provided in your question specifies an incoming interface this rule should apply to: -i eth0. Your traffic isn’t coming from eth0 however, but some virtual network interface or whatever. Just removing this restriction to eth0 may be sufficient to make it work.

Alternatively, a separate rule could be added to lxcbr0:

iptables -t nat -A PREROUTING -i lxcbr0 -p tcp --dport 443 \
    --destination 80.x.x.x -j DNAT --to 10.0.3.100:443
Source Link
Daniel B
Daniel B
  • 63.9k
  • 9
  • 128
  • 176

What you need is so called NAT hairpinning (aka NAT loopback, NAT reflection):

NAT loopback, [...] is a feature in many consumer routers which permits the access of a service via the public IP address from inside the local network.

Why is it not working? The IPTables DNAT rule you provided in your question specifies an incoming interface this rule should apply to: -i eth0. Your traffic isn’t coming from eth0 however, but some virtual network interface or whatever. Just removing this restriction to eth0 may be sufficient to make it work.