I cannot claim to understand it, not even entirely believe it, but the failure seems to be limited to attempts to navigate the iptables DNAT/SNAT rules on a host from within that host.
So if I have an interface with address 192.168.1.100 and make a rule to send hiport traffic to the ssh port:
Code:
# iptables -t nat -A PREROUTING -p tcp -d 192.168.1.100 --dport 12345 -j DNAT --to 192.168.1.100:22
That rule works great if you come in from the outside world with the command
Code:
$ telnet 192.168.1.100 12345
..connected...
but that indentical incantation from within the host with DNAT running on it fails. So there is something about locally sourced socket traffic that causes iptables to not do the expected. I guess we live with it..