iptables SNAT and DNAT on same packets
chris-usenet_at_roaima.co.uk
Date: 06/30/05
- Next message: Visvanath Ratnaweera: "Re: domain problem"
- Previous message: Jan Mannoury: "fast/slow yukon gigabit adapter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 30 Jun 2005 14:52:51 +0100
Hi folks,
I'm trying to create a NAT box that will rewrite both source and
destination IP addresses for certain traffic streams. According to
various bits of documentation that I can find, I should be able to
apply a DNAT rule and an SNAT rule to the same packets. Unfortunately
it doesn't appear to work for me.
Problem:
Client cannot directly reach server
Solution:
Use intermediate NAT box on a network that can see both client
and server
Detail:
Client: 10.1.20.24
NAT box: 10.1.77.3 - but see notes (below)
Server: 10.7.9.1
The NAT box has a "real" IP address 10.1.1.106, is running as a bridge
(as configured with brctl), and in this scenario has a preferred
target IP address 10.1.77.3 assigned to br0:3
All networks are using 16 bit netmask (255.255.0.0), so 10.1 is a
different network to 10.7
NAT box configuration:
# Rewrite NAT Box destination address to that of the real Server
#
iptables -A PREROUTING -t nat -d 10.1.77.3 -j DNAT --to-destination
10.7.1.9
# Rewrite Client source address to that of the NAT Box
#
iptables -A POSTROUTING -t nat -d 10.7.1.9 -j SNAT --to-source
10.1.77.3
Result:
Running tcpdump on the target shows that the client's packets are
arriving, so the DNAT rule has worked. Unfortunately the packets
have the client's IP address, so the SNAT rule has failed.
Suggestions anyone, please?
Thanks,
Chris
- Next message: Visvanath Ratnaweera: "Re: domain problem"
- Previous message: Jan Mannoury: "fast/slow yukon gigabit adapter"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
