SNAT issue for locally generated UDP packet

SNAT issue for locally generated UDP packet

[Baskaran Mohandass]

Hi all,

      I am trying to source nat the packet generated locally using 
iptables. Machine is running Fedora core2 and one of the interface 
address is 5.5.5.7.  Sip server sends a packet with source port 5060 and 
ip address 5.5.5.7. I want to change the IP address and the source port 
when it goes out. Reading the IPtables manual only rule i can think of is
iptables -t nat -A POSTROUTING --protocol udp --source-port 5060  -j 
SNAT --to-source 5.5.5.7:1024-32000.
[root@sipserver2 ~]# uname -a
Linux sipserver2.baski.com 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 
i686 i686 i386 GNU/Linux
Unfortunately it does not work. IPtables also says that locally 
generated packets are modified in the output chain and there is not NAT 
capability in there. I went through all the messages in the archive for 
SNAT and OUTPUT, So I would really appreciate any help on this. If there 
is any patch available for this I am ready to try.

Thanks and Regards
..baski

RE: SNAT issue for locally generated UDP packet

[Sietse van Zanen]

Hi,

I think, that your rule does not make sense: 

iptables -t nat -A POSTROUTING --protocol udp --source-port 5060 -j SNAT --to-source 5.5.5.7:1024-32000

You are trying to NAT a single port (5060) onto a range of ports (1024-32000). This will not work. NAT should be a many-many or single-single relationship. When many-many, ranges should be exactly the same size. It should be more like:

iptables -t nat -A POSTROUTING --protocol udp --source-port 5060 -j SNAT --to-source 5.5.5.7:1024

Cheers,

Sietse


________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Baskaran Mohandass
Sent: Tue 14/06/2005 22:01
To: netfilter@lists.netfilter.org
Subject: SNAT issue for locally generated UDP packet 



Hi all,

      I am trying to source nat the packet generated locally using
iptables. Machine is running Fedora core2 and one of the interface
address is 5.5.5.7.  Sip server sends a packet with source port 5060 and
ip address 5.5.5.7. I want to change the IP address and the source port
when it goes out. Reading the IPtables manual only rule i can think of is
iptables -t nat -A POSTROUTING --protocol udp --source-port 5060  -j
SNAT --to-source 5.5.5.7:1024-32000.
[root@sipserver2 ~]# uname -a
Linux sipserver2.baski.com 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004
i686 i686 i386 GNU/Linux
Unfortunately it does not work. IPtables also says that locally
generated packets are modified in the output chain and there is not NAT
capability in there. I went through all the messages in the archive for
SNAT and OUTPUT, So I would really appreciate any help on this. If there
is any patch available for this I am ready to try.

Thanks and Regards
..baski

Re: SNAT issue for locally generated UDP packet

[Baskaran Mohandass]

Hi Sietse,
   I tried with one to one mapping before this one to many iptables 
rule. I dont see any effect of this iptables config in the packet. I 
even tried MASQ without ip address on the eth1 without any success. 
Anyway Thanks for the help. I appreciate it.
Cheers
..baski

Sietse van Zanen wrote:
> Hi,
> 
> I think, that your rule does not make sense: 
> 
> iptables -t nat -A POSTROUTING --protocol udp --source-port 5060 -j SNAT --to-source 5.5.5.7:1024-32000
> 
> You are trying to NAT a single port (5060) onto a range of ports (1024-32000). This will not work. NAT should be a many-many or single-single relationship. When many-many, ranges should be exactly the same size. It should be more like:
> 
> iptables -t nat -A POSTROUTING --protocol udp --source-port 5060 -j SNAT --to-source 5.5.5.7:1024
> 
> Cheers,
> 
> Sietse
> 
> 
> ________________________________
> 
> From: netfilter-bounces@lists.netfilter.org on behalf of Baskaran Mohandass
> Sent: Tue 14/06/2005 22:01
> To: netfilter@lists.netfilter.org
> Subject: SNAT issue for locally generated UDP packet 
> 
> 
> 
> Hi all,
> 
>       I am trying to source nat the packet generated locally using
> iptables. Machine is running Fedora core2 and one of the interface
> address is 5.5.5.7.  Sip server sends a packet with source port 5060 and
> ip address 5.5.5.7. I want to change the IP address and the source port
> when it goes out. Reading the IPtables manual only rule i can think of is
> iptables -t nat -A POSTROUTING --protocol udp --source-port 5060  -j
> SNAT --to-source 5.5.5.7:1024-32000.
> [root@sipserver2 ~]# uname -a
> Linux sipserver2.baski.com 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004
> i686 i686 i386 GNU/Linux
> Unfortunately it does not work. IPtables also says that locally
> generated packets are modified in the output chain and there is not NAT
> capability in there. I went through all the messages in the archive for
> SNAT and OUTPUT, So I would really appreciate any help on this. If there
> is any patch available for this I am ready to try.
> 
> Thanks and Regards
> ..baski
> 
> 
> 

Re: SNAT issue for locally generated UDP packet

[/dev/rob0]

On Tuesday 14 June 2005 15:01, Baskaran Mohandass wrote:
> I am trying to source nat the packet generated locally using
> iptables. Machine is running Fedora core2 and one of the interface
> address is 5.5.5.7.  Sip server sends a packet with source port 5060
> and ip address 5.5.5.7. I want to change the IP address and the
> source port when it goes out.

Change the source IP to what? Change the source port to what?

> Reading the IPtables manual only rule i 
> can think of is iptables -t nat -A POSTROUTING --protocol udp
> --source-port 5060  -j SNAT --to-source 5.5.5.7:1024-32000.

That's the same IP.

> this. If there is any patch available for this I am ready to try.

Describe better what it is you need to do, and I bet your answer is in 
the man page.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header