* DNAT and source IP
@ 2009-10-20 8:16 Daniel Huhardeaux
2009-10-20 10:13 ` Jan Engelhardt
0 siblings, 1 reply; 4+ messages in thread
From: Daniel Huhardeaux @ 2009-10-20 8:16 UTC (permalink / raw)
To: Netfilter list
Hello everybody,
I'm running few virtual machines (kvm+libvirt) on a server (Debian Lenny
+ backport kernel 2.6.30) with one public IP and having IP private range
10.99.0.1 for host, one for mail and web VM (10.99.0.13), another for
telephony VM (10.99.0.11).
Everything is working well (DNAT) but something is disturbing me: for
instance, on smtp server, all incoming tcp packets are marked with
10.99.0.1 source IP and I would like to have "transparent DNAT" which
keep the original IP.
I also tried with xinetd and his redirect feature, same problem. For
telephony, using udp, it's also a problem.
My question is: is there a way to achive my needs with iptables (other
solution?) or is bridging the only way?
Thanks for any feedback/idea
--
Daniel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DNAT and source IP
2009-10-20 8:16 DNAT and source IP Daniel Huhardeaux
@ 2009-10-20 10:13 ` Jan Engelhardt
2009-10-20 14:17 ` Daniel Huhardeaux
2009-10-20 14:50 ` Daniel Huhardeaux
0 siblings, 2 replies; 4+ messages in thread
From: Jan Engelhardt @ 2009-10-20 10:13 UTC (permalink / raw)
To: Daniel Huhardeaux; +Cc: Netfilter list
On Tuesday 2009-10-20 10:16, Daniel Huhardeaux wrote:
>
> I'm running few virtual machines (kvm+libvirt) on a server (Debian Lenny +
> backport kernel 2.6.30) with one public IP and having IP private range
> 10.99.0.1 for host, one for mail and web VM (10.99.0.13), another for telephony
> VM (10.99.0.11).
>
> Everything is working well (DNAT) but something is disturbing me: for instance,
> on smtp server, all incoming tcp packets are marked with 10.99.0.1 source IP
> and I would like to have "transparent DNAT" which keep the original IP.
You need tproxy then, and not NAT.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DNAT and source IP
2009-10-20 10:13 ` Jan Engelhardt
@ 2009-10-20 14:17 ` Daniel Huhardeaux
2009-10-20 14:50 ` Daniel Huhardeaux
1 sibling, 0 replies; 4+ messages in thread
From: Daniel Huhardeaux @ 2009-10-20 14:17 UTC (permalink / raw)
To: Netfilter list
Jan Engelhardt a écrit :
> On Tuesday 2009-10-20 10:16, Daniel Huhardeaux wrote:
>> I'm running few virtual machines (kvm+libvirt) on a server (Debian Lenny +
>> backport kernel 2.6.30) with one public IP and having IP private range
>> 10.99.0.1 for host, one for mail and web VM (10.99.0.13), another for telephony
>> VM (10.99.0.11).
>>
>> Everything is working well (DNAT) but something is disturbing me: for instance,
>> on smtp server, all incoming tcp packets are marked with 10.99.0.1 source IP
>> and I would like to have "transparent DNAT" which keep the original IP.
>
> You need tproxy then, and not NAT.
>
Hi Jan,
I think I loaded the well known modules
~$sudo lsmod|grep nf
nf_tproxy_core 3040 1 xt_TPROXY,[permanent]
nf_nat 20068 2 ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4 15240 15 iptable_nat,nf_nat
nf_conntrack 70000 5
ipt_MASQUERADE,xt_state,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 2288 2 xt_TPROXY,nf_conntrack_ipv4
but can't get it work.
From some doc a table should exist (?)
sudo /sbin/iptables -t tproxy -F
iptables v1.4.2: can't initialize iptables table `tproxy': Table does
not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Others say it's a target rule but I can't get it work
~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY
--on-port 25 --on-ip 10.1.70.13
iptables v1.4.2: Unknown arg `(null)'
Try `iptables -h' or 'iptables --help' for more information.
Thanks for any hint and good and complete doc if any.
--
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: DNAT and source IP
2009-10-20 10:13 ` Jan Engelhardt
2009-10-20 14:17 ` Daniel Huhardeaux
@ 2009-10-20 14:50 ` Daniel Huhardeaux
1 sibling, 0 replies; 4+ messages in thread
From: Daniel Huhardeaux @ 2009-10-20 14:50 UTC (permalink / raw)
To: Netfilter list
Jan Engelhardt a écrit :
> On Tuesday 2009-10-20 10:16, Daniel Huhardeaux wrote:
>> I'm running few virtual machines (kvm+libvirt) on a server (Debian Lenny +
>> backport kernel 2.6.30) with one public IP and having IP private range
>> 10.99.0.1 for host, one for mail and web VM (10.99.0.13), another for telephony
>> VM (10.99.0.11).
>>
>> Everything is working well (DNAT) but something is disturbing me: for instance,
>> on smtp server, all incoming tcp packets are marked with 10.99.0.1 source IP
>> and I would like to have "transparent DNAT" which keep the original IP.
>
> You need tproxy then, and not NAT.
>
|[...]
|Others say it's a target rule but I can't get it work
|
|~$ sudo iptables -t mangle -A PREROUTING -p tcp --dport 25 -j TPROXY
|--on-port 25 --on-ip 10.1.70.13
|iptables v1.4.2: Unknown arg `(null)'
|Try `iptables -h' or 'iptables --help' for more information.
|
|Thanks for any hint and good and complete doc if any.
Got it, sorry for the noise: forgot to upgrade iptables to version
1.4.4-2 from backports.
--
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-10-20 14:50 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-20 8:16 DNAT and source IP Daniel Huhardeaux
2009-10-20 10:13 ` Jan Engelhardt
2009-10-20 14:17 ` Daniel Huhardeaux
2009-10-20 14:50 ` Daniel Huhardeaux
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.