* SNAT - matching original and natted IP addresses
@ 2010-01-15 15:33 Shirley Ong
2010-01-15 16:19 ` Leonardo Rodrigues
0 siblings, 1 reply; 3+ messages in thread
From: Shirley Ong @ 2010-01-15 15:33 UTC (permalink / raw)
To: netfilter
Hi,
I'm trying to map a range of private IP addresses to a range of public
IP addresses. For this, I'm using SNAT:
# iptables -t nat -A POSTROUTING -s <private range> -d ! <private
range> -j SNAT --to-source <public range>
The public range is higher than private range. I can see from
conntrack that the last 2 octets of original and natted IP addresses
are always the same. Can I be sure that the mapping is always correct
without parsing conntrack from time to time because it's heavy
processing? Or is there any other way that I can make sure the mapping
is always correct?
Thanks.
Shirley
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SNAT - matching original and natted IP addresses
2010-01-15 15:33 SNAT - matching original and natted IP addresses Shirley Ong
@ 2010-01-15 16:19 ` Leonardo Rodrigues
2010-07-29 19:37 ` SNAT - on bridge only addressing some packets? Timothy Hayes
0 siblings, 1 reply; 3+ messages in thread
From: Leonardo Rodrigues @ 2010-01-15 16:19 UTC (permalink / raw)
To: Shirley Ong; +Cc: netfilter
Shirley Ong escreveu:
> Hi,
>
> I'm trying to map a range of private IP addresses to a range of public
> IP addresses. For this, I'm using SNAT:
>
> # iptables -t nat -A POSTROUTING -s <private range> -d ! <private
> range> -j SNAT --to-source <public range>
>
> The public range is higher than private range. I can see from
> conntrack that the last 2 octets of original and natted IP addresses
> are always the same. Can I be sure that the mapping is always correct
> without parsing conntrack from time to time because it's heavy
> processing? Or is there any other way that I can make sure the mapping
> is always correct?
>
it's seems to me that using NETMAP target will be more interesting
to you than using SNAT. AFAIK, SNAT does not guarantees you that.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it
^ permalink raw reply [flat|nested] 3+ messages in thread
* SNAT - on bridge only addressing some packets?
2010-01-15 16:19 ` Leonardo Rodrigues
@ 2010-07-29 19:37 ` Timothy Hayes
0 siblings, 0 replies; 3+ messages in thread
From: Timothy Hayes @ 2010-07-29 19:37 UTC (permalink / raw)
Cc: netfilter
First I only casually use net filter normally, and never before in with a bridged configuration so I apologize for any missing details.
What I need to do is have each connection from one box on the local side of the bridge to appear to come from different IP's the system currently. As I've stated the system that I've been told to enact these changes on appears to be a transparent bridge configuration.
The bridge is currently running ubuntu 9.04
2.6.28-19-server #61-Ubuntu SMP Thu May 27 00:22:27 UTC 2010 x86_64 GNU/Linux
An outsourced vendor is using shorewall version 4.0.15 for fw managment.
the virtual bridge interface is br0
the external interface is eth0
the internal interface is eth2
The sourcehost appears to have a router external to the bridge as it's default gw.
I've been trying a rule similar to:
iptables -t nat -A POSTROUTING -o br0 -p tcp -s <unnated source host> -d <external webhost> -j SNAT --to-source <natted sourcehost>
What I see off of bridge using "tcpdump -ni eth0 host <external webhost>"
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
12:21:26.149511 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:26.233964 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:26.234005 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:26.234082 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.104834 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:29.189434 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.189459 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.189499 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231507 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231529 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:29.231568 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.121142 IP <natted sourcehost>.3387 > <external webhost>.www: S 1222579102:1222579102(0) win 65535 <mss 1460,nop,nop,sackOK>
12:21:35.205294 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.205324 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.205363 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234786 IP <external webhost>.www > <natted sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234807 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
12:21:35.234847 IP <external webhost>.www > <unnated sourcehost>.3387: S 350740345:350740345(0) ack 1222579103 win 5840 <mss 1460,nop,nop,sackOK>
I did turn on ip forwarding by doing:
echo 1 > /proc/sys/net/ipv4/ip_forward
The firewall does appear to have all the rules needed to track the connections?
user@system:/home/user# cat base.fwr1 | grep ESTABLISHED
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A fw2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2world -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2fw -m state --state RELATED,ESTABLISHED -j ACCEPT
-A world2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
Any help would be greatly appreciated.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-07-29 19:37 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-15 15:33 SNAT - matching original and natted IP addresses Shirley Ong
2010-01-15 16:19 ` Leonardo Rodrigues
2010-07-29 19:37 ` SNAT - on bridge only addressing some packets? Timothy Hayes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox