* unable to source and destination nat at the same time on multi-homed server
@ 2010-11-07 15:24 Joelly Alexander
2010-11-07 16:10 ` Pascal Hambourg
0 siblings, 1 reply; 3+ messages in thread
From: Joelly Alexander @ 2010-11-07 15:24 UTC (permalink / raw)
To: netfilter
i am not able to do source and destination nat for local outgoing packets;
what i need:
there are two instances of software running on the same server, both
instances send traffic to the same destination ip's;
the destination ip's must see the traffic from different source ip's for
each instance;
what i tried:
the server has both ip's in the same subnet (one physical and one
virtual), but the ip-stack sends traffic out always with the lowest ip
which works for the first instance - but i need to manipulate the
traffic for the second instance;
so, my plan was to send the traffic from the second instance to a false
destination and perform source-nat to the virtual-ip and destination-nat
not to the real destination - which seems not to work;
it is not possible to perform source-nat and destination-nat in the same
rule, and on the output chain i can only perform destination-nat where i
afterwards cannot do source-nat in the postrouting chain;
i need that in the reverse order - first source-nat and then
destination-nat to have the destination ip (the temp. false one) as a
matching criteria;
in other words - source-nat must be done before destination-nat, but
iptables does not allow this because the output chain with
destination-nat is handled before the source-nat from the postrouting
chain;
does anyone know a way to solve this?
thx,
alex
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: unable to source and destination nat at the same time on multi-homed server
2010-11-07 15:24 unable to source and destination nat at the same time on multi-homed server Joelly Alexander
@ 2010-11-07 16:10 ` Pascal Hambourg
2010-11-10 22:33 ` Joelly Alexander
0 siblings, 1 reply; 3+ messages in thread
From: Pascal Hambourg @ 2010-11-07 16:10 UTC (permalink / raw)
To: Joelly Alexander; +Cc: netfilter
Joelly Alexander a écrit :
>
> in other words - source-nat must be done before destination-nat, but
> iptables does not allow this because the output chain with
> destination-nat is handled before the source-nat from the postrouting
> chain;
>
> does anyone know a way to solve this?
You can mark the packets (-j MARK) or the connection (-j CONNMARK) in
mangle/OUTPUT before DNAT, and match the packet mark (-m mark) or
connection mark (-m connmark) in nat/POSTROUTING.
Or you can use -m conntrack --ctorigdst to match the original
destination address.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: unable to source and destination nat at the same time on multi-homed server
2010-11-07 16:10 ` Pascal Hambourg
@ 2010-11-10 22:33 ` Joelly Alexander
0 siblings, 0 replies; 3+ messages in thread
From: Joelly Alexander @ 2010-11-10 22:33 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
On 07.11.2010 17:10, Pascal Hambourg wrote:does anyone know a way to
solve this
> You can mark the packets (-j MARK) or the connection (-j CONNMARK) in
> mangle/OUTPUT before DNAT, and match the packet mark (-m mark) or
> connection mark (-m connmark) in nat/POSTROUTING.
>
> Or you can use -m conntrack --ctorigdst to match the original
> destination address.
>
After playing around some time to see how to use and how it works - it
does exactly what i need
Thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-11-10 22:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-11-07 15:24 unable to source and destination nat at the same time on multi-homed server Joelly Alexander
2010-11-07 16:10 ` Pascal Hambourg
2010-11-10 22:33 ` Joelly Alexander
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).