Problem with SNAT

Problem with SNAT

[Bgs]

  Greetings,

I have problems with the following setup:

A linux with two NICs. One with IP of 10.0.2.2 and one with 10.0.3.57.
I have DNAT-ed traffic coming in on the 10.0.2.2 that was originally 
sent to 10.0.2.1. (Another node doing the DNAT). I have problems on the 
route back so I decided to SNAT the backward udp traffic to  soource 
10.0.2.1 and send the SNATed packets back on another route.

I added the line to nat postrouting (-d target_net -s 10.0.2.2 -p udp -j 
SNAT --to-source 10.0.2.1) but the packages don't even seem to hit the 
nat postrouting chain. Let alone my SNAT rule.

Any ideas what could be wrong ?

Thanks
Bgs

Re: Problem with SNAT

[Jason Opperisano]

On Thu, 2004-09-02 at 14:57, Bgs wrote:
>   Greetings,
> 
> I have problems with the following setup:
> 
> A linux with two NICs. One with IP of 10.0.2.2 and one with 10.0.3.57.
> I have DNAT-ed traffic coming in on the 10.0.2.2 that was originally 
> sent to 10.0.2.1. (Another node doing the DNAT). I have problems on the 
> route back so I decided to SNAT the backward udp traffic to  soource 
> 10.0.2.1 and send the SNATed packets back on another route.
> 
> I added the line to nat postrouting (-d target_net -s 10.0.2.2 -p udp -j 
> SNAT --to-source 10.0.2.1) but the packages don't even seem to hit the 
> nat postrouting chain. Let alone my SNAT rule.
> 
> Any ideas what could be wrong ?
> 
> Thanks
> Bgs

since i have to guess (hint:  post your rules [1] if you want us to find
the problem for you)...

i would say that your filter rules drop the packet before they ever get
to the POSTROUTING chain of the nat table.

-j

[1] - iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

-- 
Jason Opperisano <opie@817west.com>

Re: Problem with SNAT

[Alistair Tonner]

On September 2, 2004 04:17 pm, Jason Opperisano wrote:
> On Thu, 2004-09-02 at 14:57, Bgs wrote:
> >   Greetings,
> >
> > I have problems with the following setup:
> >
> > A linux with two NICs. One with IP of 10.0.2.2 and one with 10.0.3.57.
> > I have DNAT-ed traffic coming in on the 10.0.2.2 that was originally
> > sent to 10.0.2.1. (Another node doing the DNAT). I have problems on the
> > route back so I decided to SNAT the backward udp traffic to  soource
> > 10.0.2.1 and send the SNATed packets back on another route.
> >
> > I added the line to nat postrouting (-d target_net -s 10.0.2.2 -p udp -j
> > SNAT --to-source 10.0.2.1) but the packages don't even seem to hit the
> > nat postrouting chain. Let alone my SNAT rule.
> >
> > Any ideas what could be wrong ?
> >
> > Thanks
> > Bgs
>
> since i have to guess (hint:  post your rules [1] if you want us to find
> the problem for you)...
>
> i would say that your filter rules drop the packet before they ever get
> to the POSTROUTING chain of the nat table.
>
> -j
>
> [1] - iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL

	Furthermore we could use with the routing table on the box as well .

	classically 10.x.x.x addressed networks have a mask of 255.0.0.0
	which might not result in good routes.

	Alistair.

Re: Problem with SNAT

[Bgs]

>>A linux with two NICs. One with IP of 10.0.2.2 and one with 10.0.3.57.
>>I have DNAT-ed traffic coming in on the 10.0.2.2 that was originally 
>>sent to 10.0.2.1. (Another node doing the DNAT). I have problems on the 
>>route back so I decided to SNAT the backward udp traffic to  soource 
>>10.0.2.1 and send the SNATed packets back on another route.
>>
>>I added the line to nat postrouting (-d target_net -s 10.0.2.2 -p udp -j 
>>SNAT --to-source 10.0.2.1) but the packages don't even seem to hit the 
>>nat postrouting chain. Let alone my SNAT rule.
 >
> since i have to guess (hint:  post your rules [1] if you want us to find
> the problem for you)...
> 
> i would say that your filter rules drop the packet before they ever get
> to the POSTROUTING chain of the nat table.
> 
> -j
> 
> [1] - iptables -vnL && iptables -t nat -vnL && iptables -t mangle -vnL
> 

  Greetings,

I don't have access right no to the box, but I dumped the traffic and 
the packets go out unSNATed :)
The boxes ruleset is completely empty, it has only this one rule...
Netmasks are 24bits.

Incoming packet to 10.0.2.2 (originally sent to 10.0.2.1). Outbound udp 
traffic from 10.0.2.2 should be SNATed back to 10.0.2.1.

Bye
Bgs

Problem with SNAT

[Ian Batterbee]

For those of you who remember my problem from a week or so ago, this is 
a continuation of the same thing.

I've now changed from using MASQ to using SNAT in order to work around 
the problem where MASQ and policy routing don't work together, however 
I've run into a new problem.

My linux box has 3 interfaces -
eth0 - 192.168.0.1/24 (outside - goes to an adsl modem
eth1 - x.x.252.33/29   (inside)
ppp0 - z.z.2.204/32 (ssh tunnel to work)

In order to source nat anything I route down the tunnel onto the 
tunnel's IP address,I have the following SNAT command active:

iptables -t nat -I POSTROUTING -o ppp0 -j SNAT --to-source z.z.2.204

The problem is that the -o ppp0 bit seems to be being ignored. If I ssh 
from my windows machine (x.x.252.36) to x.x.252.33,  my address gets 
translated to z.z.2.204, even though it the address I connect to is on 
the same subnet. I.e., it shouldn't have gone anywhere near the ppp0 
interface.

A tcpdump -n shows that the SYN comes from the correct address of 
x.x.252.36, and the reply is sent there, but unless I add ALL:z.z.2.204 
into /etc/hosts, sshd resets the tcp connection, strongly suggesting 
that the SNAT has occured by the time the sshd process sees the packet.

Is this expected behaviour ?

Problem with snat.

[sorcus]

Can you confirm that a bug or not?

https://serverfault.com/questions/861375/what-wrong-with-snat-in-nftables
http://marc.info/?t=149969788400002&r=1&w=2
https://github.com/NixOS/nixpkgs/issues/27093

No one can help me. And i don't know what i need doing now.
Thank you.

Re: Problem with snat.

[Arturo Borrero Gonzalez]

On 17 July 2017 at 00:07,  <sorcus@inwebse.com> wrote:
> Can you confirm that a bug or not?
>
> https://serverfault.com/questions/861375/what-wrong-with-snat-in-nftables
> http://marc.info/?t=149969788400002&r=1&w=2
> https://github.com/NixOS/nixpkgs/issues/27093
>
> No one can help me. And i don't know what i need doing now.

You are probably lacking the reply NAT chain, which needs to be registered.

https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)

I'm updating right now the wiki to put this in bold.

Re: Problem with snat.

[sorcus]

Thank you so much. Now it's working.

On 2017-07-17 06:22, Arturo Borrero Gonzalez wrote:
> You are probably lacking the reply NAT chain, which needs to be 
> registered.
> 
> https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
> 
> I'm updating right now the wiki to put this in bold.