From: Erik Schorr <erik-lists@arpa.org>
To: netfilter@vger.kernel.org
Cc: Ajith Adapa <adapa.ajith@gmail.com>
Subject: Re: Regarding iptable rules for SNAT
Date: Tue, 18 Oct 2011 11:33:24 -0700 [thread overview]
Message-ID: <4E9DC674.3050607@arpa.org> (raw)
In-Reply-To: <CADAe=+Lo46K956EAdtBchVUPkLs-aLoDk7p8HGC5-Bd4PGKy3Q@mail.gmail.com>
On 10/17/2011 8:42 PM, Ajith Adapa wrote:
> I have a following setup. GW eth1 (private ip) is connected to the ISP
> router. For host H1 I have set the DNS server as 10.12.3.10.
>
> H1 (eth0) --- (eth0) GW (eth1) ---
> H1 eth0 = 192.168.1.2
> GW eth0 = 192.168.1.1
> GW eth1 = 10.12.3.12
> DNS = 10.12.3.10
>
> I have added a rule in GW saying iptables -A POSTROUTING -t nat -o
> eth1 -j MASQUERADE
>
> Now when I am trying to access internet from host H1, DNS queries are
> being sent to 10.12.3.10 which are masqueraded in GW. Once replies
> come back from DNS server then GW is replying back to DNS server with
> icmp destination unreachable.
If there's no reason to SNAT/masquerade traffic from eth0 to a host on
eth1 (10.12.3.*), you can try inserting an ACCEPT rule in the
POSTROUTING table just before the MASQUERADE rule, to prevent the
traffic from 192.168.1.* to 10.12.3.* having its source address changed
in flight:
# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "dont masq
stuff from private net to DMZ net" -s 192.168.1.0/24 -d 10.12.3.0/24 -j
ACCEPT
# iptables -A POSTROUTING -t nat -o eth1 -m comment --comment "masq
everything else" -j MASQUERADE
> Ideal cases once the reply comes back GW has to send it to the host H1 right ?
>
> Sorry if I am wrong or missed any steps down here ?
>
> Regards,
> Ajith
next prev parent reply other threads:[~2011-10-18 18:33 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-18 3:42 Regarding iptable rules for SNAT Ajith Adapa
2011-10-18 8:08 ` Marek Kierdelewicz
2011-10-19 3:16 ` Ajith Adapa
[not found] ` <CAA2qdGUphypn=RTRadM1Mt0bGGqquJv_fa_MRBzayZavPthX6A@mail.gmail.com>
2011-10-19 5:28 ` Ajith Adapa
2011-10-18 18:33 ` Erik Schorr [this message]
2011-10-19 3:16 ` Ajith Adapa
[not found] ` <CADAe=++EOD5mLsVO2o3W85uLo2DWxBsdeyn8b=6UT9w0OAPYMA@mail.gmail.com>
2011-10-19 23:43 ` Erik Schorr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E9DC674.3050607@arpa.org \
--to=erik-lists@arpa.org \
--cc=adapa.ajith@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox