I have an FC5 (2.6.16.13-xen kernel) box with 2 interfaces:
eth0 is 192.168.1.221 (external network)
eth1 is 192.168.10.1 (internal network)
I've got to nat traffic through this box from host 192.168.10.2
to host 192.168.1.12. So I enabled ip forwarding and source nat
on the multi-homed box:
# sysctl -w net.ipv4.ip_forward=1
# iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.221
That didn't work; the packets were indeed forwarded but their
source address was unchanged (still 192.168.10.2):
# tcpdump -n -i eth0
18:14:12.425317 IP 192.168.10.2 > 192.168.1.12: ICMP echo
request, id 2617, seq 9, length 64
I also tried plain old Masquerading:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
This also does not change the packets' source address, but
it does forward them from eth1 to eth0 again.
This similar command has a different but still incorrect effect:
# iptables -t nat -A POSTROUTING -j MASQUERADE
It changes the source address of the packets on eth1 but
of course does not forward them to eth0.
Nothing seems to work. Packets are either forwarded but without
new source IPs or they get new source IPs but aren't forwarded.
My filter table is wide open (no rules).
The same kernel can do SNAT just fine using Debian. I'm starting
to think FC5 is missing something. However, I seem to have the following
modules, which appear sufficient to me:
# lsmod | grep ip
ipt_MASQUERADE 3776 0
iptable_filter 3104 1
iptable_nat 8836 1
ip_nat 18092 2 ipt_MASQUERADE,iptable_nat
ip_conntrack 55800 4 xt_state,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink 6520 2 ip_nat,ip_conntrack
ip_tables 13636 2 iptable_filter,iptable_nat
x_tables 13188 6
xt_state,ipt_MASQUERADE,xt_tcpudp,xt_physdev,iptable_nat,ip_tables
ipv6 269056 14
Any ideas on how to proceed with troubleshooting this?
Thanks,
Steve Brueckner, ATC-NY
|