Hello :)
donno if this will help much but have you tried inserting the rule and
not appending it ?
-I POSTROUTING -t nat -o eth0 -j SNAT --to
I have been a little stumped by rules jumping packets to other chains
before they hit my newly entered rule before.
huh,
Matty.
Steve Brueckner wrote:
> Thanks, but using the --to-source switch seems to have the same effect
> as just using --to. And my attempt to use Masquerading failed as well.
>
> I'm new to iptables, but it doesn't seem too complex as a user to try
> to do this, so I really think the problem isn't with my usage of
> iptables but that something is either broken or missing in my kernel.
>
> I think what we need to do is some debugging, but I was hoping for some
> ideas on how to do that from this list.
>
> Thanks
>
> Steve Brueckner, ATC-NY
>
> James Shewey wrote:
>
>> did you try "iptables -t nat -A POSTROUTING -o eth0 -j SNAT
>> --to-source 192.168.1.221"
>>
>> Perhaps this will yeild better results.
>>
>> You should also be able to do what you want with _all_ traffic that
>> flows through the router too using the masquerade table. This may not
>> work for you solution though.
>>
>>
>> On 2/12/07, Steve Brueckner <steve@atc-nycorp.com> wrote:
>>
>>> I have an FC5 (2.6.16.13-xen kernel) box with 2 interfaces:
>>> eth0 is 192.168.1.221 (external network)
>>> eth1 is 192.168.10.1 (internal network)
>>>
>>> I've got to nat traffic through this box from host 192.168.10.2 to
>>> host 192.168.1.12. So I enabled ip forwarding and source nat on the
>>> multi-homed box: # sysctl -w net.ipv4.ip_forward=1
>>> # iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.221
>>>
>>> That didn't work; the packets were indeed forwarded but their source
>>> address was unchanged (still 192.168.10.2):
>>> # tcpdump -n -i eth0
>>> 18:14:12.425317 IP 192.168.10.2 > 192.168.1.12: ICMP echo request,
>>> id 2617, seq 9, length 64
>>>
>>> I also tried plain old Masquerading:
>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This also does
>>> not change the packets' source address, but it does forward them
>>> from eth1 to eth0 again.
>>>
>>> This similar command has a different but still incorrect effect:
>>> # iptables -t nat -A POSTROUTING -j MASQUERADE It changes the source
>>> address of the packets on eth1 but of course does not forward them
>>> to eth0.
>>>
>>> Nothing seems to work. Packets are either forwarded but without new
>>> source IPs or they get new source IPs but aren't forwarded.
>>> My filter table is wide open (no rules).
>>>
>>> The same kernel can do SNAT just fine using Debian. I'm starting to
>>> think FC5 is missing something. However, I seem to have the
>>> following modules, which appear sufficient to me:
>>> # lsmod | grep ip
>>> ipt_MASQUERADE 3776 0
>>> iptable_filter 3104 1
>>> iptable_nat 8836 1
>>> ip_nat 18092 2 ipt_MASQUERADE,iptable_nat
>>> ip_conntrack 55800 4
>>> xt_state,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink
>>> 6520 2 ip_nat,ip_conntrack
>>> ip_tables 13636 2 iptable_filter,iptable_nat
>>> x_tables 13188 6
>>> xt_state,ipt_MASQUERADE,xt_tcpudp,xt_physdev,iptable_nat,ip_tables
>>> ipv6 269056 14
>>>
>>> Any ideas on how to proceed with troubleshooting this?
>>>
>>> Thanks,
>>>
>>> Steve Brueckner, ATC-NY
>>>
>
>
>
>
signature.asc
Description: OpenPGP digital signature
|