only SNAT packets originating from local?

only SNAT packets originating from local?

[Christian Bricart]

Hi,

is there a simple way to do SNAT for packets that originate from the
router itself?
I want to set a static IP for a multihomed router that does forwarding, too.

I've tried to set:

iptables -t nat -I POSTROUTING -p tcp --dport 4711 -j SNAT --to-source
1.2.3.4

but that does SNAT on forwardes packets, too..
Do I miss a rule on "-t filter OUTPUT"? maybe mangle with -j MARK and SNAT
packets that have a mark set?

Christian

Re: only SNAT packets originating from local?

[curby .]

(forgot to CC the list the first time i sent this)

On 9/2/05, Christian Bricart <christian@bricart.de> wrote:
> is there a simple way to do SNAT for packets that originate from the
> router itself?

Try using something like the following:

iptables -t nat -A OUTPUT -j SNAT --to-source $EXTDEV_SNATIP

Of course, this is oftentimes not necessary, but it might be if you
have *multiple* external-facing static IPs from which you want to set
one for outbound traffic.

Off-topic musing: It might also be strange if you have two static IPs
A and B with sshd listening to port 22 on both of them.  Someone
connects to B, but you SNAT the reply out of A, and the client gets
confused and drops the reply.

--Curby