From: Ben Greear <greearb@candelatech.com>
To: netfilter@lists.netfilter.org
Subject: Question on MASQUERADE in virtual-router configuration.
Date: Thu, 19 Apr 2007 10:27:19 -0700 [thread overview]
Message-ID: <4627A677.4080102@candelatech.com> (raw)
Hello!
I'm trying to set up a fairly strange configuration, and having
no luck getting MASQUERADE to work. My configuration requires
a few patches to the kernel to allow send-to-self and some
routing table upgrades. I can post these if someone wishes to
see them.
I suspect that my virtual router configuration is confusing iptables
somehow, perhaps causing the -o [port] to be ignored,
so I'm looking for ideas on how to better debug this.
The configuration is a sort of virtual router. You could think of it
similar to this, though I am actually using virtual devices similar
to the etun devices recently posted to netdev instead of real ethernet
devices with loopback cables.
One machine:
eth0 and eth1 act as a router (using policy based routing to filter
on packets entering these interfaces to a certain routing table, etc)
eth2 and eth3 act as a second router.
eth1 is connected with loop-back cable to eth2 (subnet 2.2.2.0/24)
eth0 is connected to eth4 via loopback cable (subnet 172.1.1.0/24)
eth3 is connected to the5 via loopback cable. (subnet 4.4.4.0/24)
I am trying to pass traffic from eth4 to eth5, through the virtual
routers. This works fine without NAT, and I can sniff on each of the
interfaces and see expected traffic.
The traffic path is: eth4 -- eth0 { router-1 logic } eth1 -- eth2 { router-2 logic } eth3 -- eth5
I then tried enabling NAT on eth1 so that all packets entering eth2 will appear
to come from eth1's IP address with a command similar to this:
iptables -A POSTROUTING -t nat -o eth1 -j MASQUERADE
When sniffing eth2, I still see the source IP as that of eth4, not eth1.
I also tried using the SNAT target with this command:
iptables -A POSTROUTING -t nat -o eth1 -j SNAT --to 2.2.2.2
The rule appears to be in the kernel, but it still does not work:
[root@lanforge-33-46 lanforge]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@lanforge-33-46 lanforge]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:2.2.2.2
If anyone has any ideas how to better diagnose this, please let
me know.
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
reply other threads:[~2007-04-19 17:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4627A677.4080102@candelatech.com \
--to=greearb@candelatech.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox