Re: Reverse SNAT routes out wrong interface

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Joel Newkirk <netfilter@newkirk.us>
To: Del Winiecki <delw@wildapache.net>, netfilter@lists.netfilter.org
Subject: Re: Reverse SNAT routes out wrong interface
Date: Fri, 21 Feb 2003 01:36:35 -0500	[thread overview]
Message-ID: <200302210136.35536.netfilter@newkirk.us> (raw)
In-Reply-To: <1045773286.2306.77.camel@thizzy>

On Thursday 20 February 2003 03:34 pm, Del Winiecki wrote:
> Ok, another challenge.
>
> SNAT works fine, but I need the outside WAN address to look as if it
> came from an address on the eth1 network, not the Upstream WAN
> network. My linux router ports:
>
> eth4 192.168.1.0/24 ------------ (local offices, admin net)
>
> eth1 209.x.x.x/24 -------- (downstream WAN)
>
> WAN1 64.x.x.x/30 ---------  (upstream provider)
>
> all traffic from 192.168.1.0/24 must look like its from 209.x.x.13
>
> traffic flowing into WAN1 with a destination address of 209.x.x.13
> somehow needs to get routed out the eth4 interface and "un-natted"
> instead of routing out eth1.
>
> I have:
> iptables -t nat -A POSTROUTING -o WAN1 -j SNAT --to 209.x.x.13
>
> Is there some way to use DNAT to fool the kernel routing into properly
> routing this?

Since you only want traffic from the 192.168.1.x network to be SNATted, 
you should construct your rule with that requirement:

iptables -t nat -A POSTROUTING -i 192.168.1.0/24 -o WAN1 -j SNAT --to 
209.x.x.13

Netfilter will then reverse SNAT those packets correctly. (the rule you 
have above will make ALL traffic going out WAN1 appear from that single 
IP) 

If you want NEW traffic addressed to 209.x.x.13 to be DNATted into the 
192.168.1.x network that isn't a problem, but you have to specify a 
precise destination (or destinations) for the traffic in one or more 
DNAT rules.

j

> Thanks,
> Del W.

     prev parent reply	other threads:[~2003-02-21  6:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-02-20 20:34 Reverse SNAT routes out wrong interface Del Winiecki
2003-02-21  6:36 ` Joel Newkirk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200302210136.35536.netfilter@newkirk.us \
    --to=netfilter@newkirk.us \
    --cc=delw@wildapache.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox