SNAT help

SNAT help

[Scott Johnson]

I'm new to iptables so I very much appreciate any help I can get.

I've been digging through information for about 1.5 weeks now and got most 
things to work, however I'm stumped on one thing...

I've got masquerading going on for the 3000+ work stations I have in 
house.  In addition, I've got some good basic firewalling going on, I'm 
still working on the rules, but I'm happy they're working as well as they 
are.

Now, I've got a few PC's that need a different public IP address from the 
masses.  So I'm trying to assign a static NAT to these.  When I assign the 
static nat rule, it never gets used.

For example:

eth0 - internal
eth1 - dmz
eth2 - external

iptables -t nat -A POSTROUTING -s 10.1.3.35/32 -o eth2 -j SNAT --to 
1.2.3.4
(where 1.2.3.4 is the public address that I'm assigning)
ip address add 1.2.3.4 dev eth2

creates a rule that looks like:

   0     0 SNAT       all  --  *      eth2    10.1.3.35            
0.0.0.0/0          to:1.2.3.4

When I go check my ip address at an external site, I keep getting the 
public interface IP address.

Again, any and all help is MUCH appreciated.

Thanks!
  Scott 

SNAT help

[Scott Johnson]

I apologize if this message appears twice... I got a bounce on it the 
first time.

I'm new to iptables so I very much appreciate any help I can get.

I've been digging through information for about 1.5 weeks now and got most 
things to work, however I'm stumped on one thing...

I've got masquerading going on for the 3000+ work stations I have in 
house.  In addition, I've got some good basic firewalling going on, I'm 
still working on the rules, but I'm happy they're working as well as they 
are.

Now, I've got a few PC's that need a different public IP address from the 
masses.  So I'm trying to assign a static NAT to these.  When I assign the 
static nat rule, it never gets used.

For example:

eth0 - internal
eth1 - dmz
eth2 - external

iptables -t nat -A POSTROUTING -s 10.1.3.35/32 -o eth2 -j SNAT --to 
1.2.3.4
(where 1.2.3.4 is the public address that I'm assigning)
ip address add 1.2.3.4 dev eth2

creates a rule that looks like:

   0     0 SNAT       all  --  *      eth2    10.1.3.35            
0.0.0.0/0          to:1.2.3.4

When I go check my ip address at an external site, I keep getting the 
public interface IP address.

Again, any and all help is MUCH appreciated.

Thanks!
  Scott 

SNAT help

[Scott Johnson]

I apologize if this message appears twice... I got a bounce on it the 
first time.

I'm new to iptables so I very much appreciate any help I can get.

I've been digging through information for about 1.5 weeks now and got most 
things to work, however I'm stumped on one thing...

I've got masquerading going on for the 3000+ work stations I have in 
house.  In addition, I've got some good basic firewalling going on, I'm 
still working on the rules, but I'm happy they're working as well as they 
are.

Now, I've got a few PC's that need a different public IP address from the 
masses.  So I'm trying to assign a static NAT to these.  When I assign the 
static nat rule, it never gets used.

For example:

eth0 - internal
eth1 - dmz
eth2 - external

iptables -t nat -A POSTROUTING -s 10.1.3.35/32 -o eth2 -j SNAT --to 
1.2.3.4
(where 1.2.3.4 is the public address that I'm assigning)
ip address add 1.2.3.4 dev eth2

creates a rule that looks like:

   0     0 SNAT       all  --  *      eth2    10.1.3.35            
0.0.0.0/0          to:1.2.3.4

When I go check my ip address at an external site, I keep getting the 
public interface IP address.

Again, any and all help is MUCH appreciated.

Thanks!
  Scott 

Re: SNAT help

[Raymond Leach]

[-- Attachment #1: Type: text/plain, Size: 1530 bytes --]

Where did you put that rule? Does it come before your other SNAT rules?

Are you running a transparent web cache (like squid)?

Ray

On Wed, 2003-04-09 at 17:47, Scott Johnson wrote:
> I apologize if this message appears twice... I got a bounce on it the 
> first time.
> 
> I'm new to iptables so I very much appreciate any help I can get.
> 
> I've been digging through information for about 1.5 weeks now and got most 
> things to work, however I'm stumped on one thing...
> 
> I've got masquerading going on for the 3000+ work stations I have in 
> house.  In addition, I've got some good basic firewalling going on, I'm 
> still working on the rules, but I'm happy they're working as well as they 
> are.
> 
> Now, I've got a few PC's that need a different public IP address from the 
> masses.  So I'm trying to assign a static NAT to these.  When I assign the 
> static nat rule, it never gets used.
> 
> For example:
> 
> eth0 - internal
> eth1 - dmz
> eth2 - external
> 
> iptables -t nat -A POSTROUTING -s 10.1.3.35/32 -o eth2 -j SNAT --to 
> 1.2.3.4
> (where 1.2.3.4 is the public address that I'm assigning)
> ip address add 1.2.3.4 dev eth2
> 
> creates a rule that looks like:
> 
>    0     0 SNAT       all  --  *      eth2    10.1.3.35            
> 0.0.0.0/0          to:1.2.3.4
> 
> When I go check my ip address at an external site, I keep getting the 
> public interface IP address.
> 
> Again, any and all help is MUCH appreciated.
> 
> Thanks!
>   Scott 
> 


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

SNAT help

[cranium2003]

hello,
         I want to execute my code at
NF_IP_POST_ROUTING. For that First i want to know
which functions are executing at NF_IP_POST_ROUTING
Hook. Then i have enabled SNAT and I have wrriten code
at NF_IP_POST_ROUTING but i want to get outgoing
packets' IP address as new one SNAT'ed IP address not
the one that is before SNAT? How can i do that?
         I observe that my code and SNAT are executing
at same HOOK NF_IP_POST_ROUTING. But my code is
executed first and then SNAT is doen but how to
reverse that?
regards,
cranium


		
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html

Re: SNAT help

[Asim Shankar]

> i have enabled SNAT and I have wrriten code
> at NF_IP_POST_ROUTING but i want to get outgoing
> packets' IP address as new one SNAT'ed IP address not
> the one that is before SNAT? How can i do that?

I think changing the priority (struct nf_hook_ops.priority) when
registering the hook would do your job. ip_nat_out_ops registers a
hook with a priority NF_IP_PRI_NAT_SRC.

If you register your hook with a priority greater than
NF_IP_PRI_NAT_SRC (like (NF_IP_PRI_NAT_SRC + 1) or NF_IP_PRI_LAST)
then your hook will be called after the ip_nat_out_ops hook.

Hope that helps,

-- Asim