From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Joel Vosu <joel.vosu@mail.ee>
Cc: netfilter@lists.netfilter.org
Subject: Re: Change source address on incoming packets
Date: Mon, 10 May 2004 06:56:43 -0400 [thread overview]
Message-ID: <1084186603.13931.14.camel@localhost> (raw)
In-Reply-To: <409EA7A6.8070000@mail.ee>
On Sun, 2004-05-09 at 17:50, Joel Vosu wrote:
> I would need to be able to change the source address of incouming
> packets. I have 2 different subnets, but I need the server to see the
> packes from the 2nd subnet as coming from the 1st.
> in iptables it would be something like:
> iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source
> local_machine
> but this is not possible because SNAT only works for outgoing packets in
> POSTROUTING.
> Is there a way to get this to work other than adding a second router box
> for NAT?
> I tried to do it like this:
> Added another IP address eth0:0 to the server,
> added rules:
> iptables -A PREROUTING -t nat -d eth0:0_ip -p tcp --dport server-port -j
> DNAT --to-destination eth0_ip:server_port
> iptables -A POSTROUTING -t nat -d eth0_ip -p tcp --dport server_port -j
> SNAT --to-source eth0:0_ip
> but when I check from: iptables -L -t nat -nv then the second rule does
> not get used at all. I presume the pacet intended for local machine does
> not traverse the outgoing part of the nat table.
<snip>
I haven't tried or fully thought through any of these but here are a few
of the thoughts which came to my mind.
You may see the local packets in the POSTROUTING chain but on interface
lo instead of eth0.
If that doesn't work, I wonder if you can use iproute2. It can do
stateless NAT independent of iptables (i.e., the reply packets will know
nothing of the original NAT and will need to have rules applied to them,
too). I believe that will alter the packet after it leaves the
PREROUTING chain of the nat table. I'm not sure which address the filter
table will see.
You may also be able to do it with an iproute2 routing rule. They can
be used to tell the server which ip to use for the source. I haven't
looked at the details of doing this in a while so I do not recall if it
will do what you want off the top of my head.
In a recent RedHat distribution, you can find the iproute2 documentation
in /usr/share/doc/iproute-2.4.7/ip-cref.ps. There is also a slide show
about using it in the training section on http://iscs.sourceforge.net.
Good luck - John
--
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
next prev parent reply other threads:[~2004-05-10 10:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-09 21:50 Change source address on incoming packets Joel Vosu
2004-05-09 22:14 ` Antony Stone
2004-05-09 22:31 ` Joel Vosu
2004-05-10 10:56 ` John A. Sullivan III [this message]
2004-05-13 12:36 ` Joel Vosu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1084186603.13931.14.camel@localhost \
--to=john.sullivan@nexusmgmt.com \
--cc=joel.vosu@mail.ee \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox