I'm running a router based on a custom Linux 2.6.6 kernel, with all
netfilter options either compiled-in or available as modules.
I use SNAT so that all traffic from a given private subnet appears to
originate from a single routable IP address. Each private subnet has a
unique corresponding routable IP address.
In general, this works very well. The trouble I'm having is in passing
iChat AV traffic for an entire private subnet.
For example, let's say I have two routable IP addresses assigned to
eth0: 69.54.179.2 and 69.54.179.3, and private IP address
192.168.10.1/24 assigned to eth1. Clients are connected to eth1, while
eth0 is my link to the internet.
If I use SNAT for the entire private subnet, iChat fails. In order to
make it work, I need to use a 1:1 mapping and DNAT.
This causes iChat to fail:
iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source
69.54.179.2
This works:
iptables -t nat -A POSTROUTING -s 192.168.10.3 -j SNAT --to-source
69.54.179.3
iptables -t nat -A PREROUTING -d 69.54.179.3 -j DNAT --to-destination
192.168.10.3
The private subnet in question can have any number of nodes using iChat
at a given time. I need to avoid reserving a unique public IP address
for each node that may possibly participate.
What am I missing? Is this expected behavior?
Thanks!
Dennis
|