Re: Regarding iptable rules for SNAT

[Erik Schorr <erik-lists@arpa.org>]

On 10/17/2011 8:42 PM, Ajith Adapa wrote:
> I have a following setup. GW eth1 (private ip) is connected to the ISP
> router. For host H1 I have set the DNS server as 10.12.3.10.
>
> H1 (eth0) --- (eth0) GW (eth1) ---
> H1 eth0 = 192.168.1.2
> GW eth0 = 192.168.1.1
> GW eth1 = 10.12.3.12
> DNS = 10.12.3.10
>
> I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
> eth1 -j MASQUERADE
>
> Now when I am trying to access internet from host H1, DNS queries are
> being sent to 10.12.3.10 which are masqueraded in GW. Once replies
> come back from DNS server then GW is replying back to DNS server with
> icmp destination unreachable.

If there's no reason to SNAT/masquerade traffic from eth0 to a host on 
eth1 (10.12.3.*), you can try inserting an ACCEPT rule in the 
POSTROUTING table just before the MASQUERADE rule, to prevent the 
traffic from 192.168.1.* to 10.12.3.* having its source address changed 
in flight:

# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont masq 
stuff from private net to DMZ net" -s 192.168.1.0/24 -d 10.12.3.0/24 -j 
ACCEPT
# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq 
everything else" -j MASQUERADE

> Ideal cases once the reply comes back GW has to send it to the host H1 right ?
>
> Sorry if I am wrong or missed any steps down here ?
>
> Regards,
> Ajith