Iptables not working as I expect: response package not DNATed as expected with DNAT in PREROUTING

Question

My server (on which bellow iptables rules are loaded) has the IP 192.168.3.110. There is another computer in my LAN with IP 192.168.3.106. I'm trying to redirect requests to my server on port 80 to 192.168.3.106.

I have the following iptables file which is loaded in my CentOS 7 server:

*nat
:PREROUTING DROP
:INPUT DROP
:OUTPUT DROP
:POSTROUTING DROP

-A PREROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A PREROUTING --dst 192.168.3.110 -p tcp --dport 80 -j DNAT --to-destination 192.168.3.106
-A PREROUTING -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A OUTPUT --dst 192.168.3.110 -p tcp -m state --state NEW --dport 80 -j DNAT --to-destination 192.168.3.106
-A OUTPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

-A POSTROUTING -m state --state RELATED,ESTABLISHED -j ACCEPT
-A POSTROUTING -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A POSTROUTING --src 192.168.3.0/24 --dst 192.168.3.106 -p tcp --dport 80 -j SNAT --to-source 192.168.3.110
-A POSTROUTING -o lo -j ACCEPT

COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

-A OUTPUT -p tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

COMMIT

Basically I'm doing the following (at least that's how I understand it):

• enable ssh-ing

• enable TCP on port 80

• DNAT and SNAT packets so that I achieve the desired behavior.

Question: I don't understand why, when I make a call from my server to itself, i.e. 192.168.3.110, I get a response.

That's how I understand that things should work in this case:

1. curl http://192.168.3.110 - don't forget that I execute this from my server, with IP 192.168.3.110
2. packet is going to OUTPUT chain from nat table, where it is DNATed
3. packet is going to POSTROUTING chain from nat table, where it is SNATed
4. my Apache from 192.168.3.106, is answering to my request.
5. packet is reaching PREROUTING chain from nat table, where it should be DNATed
6. packet is forwarded and thrown somewhere.

All seems to work as expected, except 5 and 6. With other words, I receive the response from server. Can anybody explain me where is my logic broken?

Answer 1

iptables nat tables are only traversed for the first packet of a (psuedo-)connection. Later packets are mapped (or left alone) according to the mappings established by the first packet.