NetFilter
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Troubleshooting SNAT

from [Steve Brueckner] [Permanent Link][Original]
To: netfilter@lists.netfilter.org
Subject: RE: Troubleshooting SNAT
From: Steve Brueckner <steve@atc-nycorp.com>
Date: Tue, 13 Feb 2007 11:33:03 -0500
Delivered-to: sp-com-lists@consult.net
Delivered-to: netfilter-list1@securepoint.com
List-archive: </pipermail/netfilter>
List-help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id: General discussion and user questions <netfilter.lists.netfilter.org>
List-post: <mailto:netfilter@lists.netfilter.org>
List-subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Sender: netfilter-bounces@lists.netfilter.org 
Good idea, but this is the only rule I have!  So there's no other rules
to get in the way.

I think what I need is some sort of debug mode for iptables.

 - Steve

Matt Richards wrote:
> Hello  :)
> 
> donno if this will help much but have you tried inserting the rule
> and not appending it ? -I POSTROUTING -t nat -o eth0 -j SNAT --to
> 
> I have been a little stumped by rules jumping packets to other chains
> before they hit my newly entered rule before. 
> 
> huh,
> Matty.
> On 2/12/07, Steve Brueckner <steve@atc-nycorp.com> wrote:
> 
>>>> I have an FC5 (2.6.16.13-xen kernel) box with 2 interfaces:
>>>> eth0 is 192.168.1.221 (external network)
>>>> eth1 is 192.168.10.1 (internal network)
>>>> 
>>>> I've got to nat traffic through this box from host 192.168.10.2 to
>>>> host 192.168.1.12.  So I enabled ip forwarding and source nat on
>>>> the multi-homed box: # sysctl -w net.ipv4.ip_forward=1 # iptables
>>>> -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.221
>>>> 
>>>> That didn't work; the packets were indeed forwarded but their
>>>> source address was unchanged (still 192.168.10.2):
>>>> # tcpdump -n -i eth0
>>>> 18:14:12.425317 IP 192.168.10.2 > 192.168.1.12: ICMP echo request,
>>>> id 2617, seq 9, length 64 
>>>> 
>>>> I also tried plain old Masquerading:
>>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE This also
>>>> does not change the packets' source address, but it does forward
>>>> them from eth1 to eth0 again. 
>>>> 
>>>> This similar command has a different but still incorrect effect:
>>>> # iptables -t nat -A POSTROUTING -j MASQUERADE It changes the
>>>> source address of the packets on eth1 but of course does not
>>>> forward them to eth0. 
>>>> 
>>>> Nothing seems to work.  Packets are either forwarded but without
>>>> new source IPs or they get new source IPs but aren't forwarded.
>>>> My filter table is wide open (no rules).
>>>> 
>>>> The same kernel can do SNAT just fine using Debian.  I'm starting
>>>> to think FC5 is missing something.  However, I seem to have the
>>>> following modules, which appear sufficient to me:
>>>> # lsmod | grep ip
>>>> ipt_MASQUERADE          3776  0
>>>> iptable_filter          3104  1
>>>> iptable_nat             8836  1
>>>> ip_nat                 18092  2 ipt_MASQUERADE,iptable_nat
>>>> ip_conntrack           55800  4
>>>> xt_state,ipt_MASQUERADE,iptable_nat,ip_nat nfnetlink 6520  2
>>>> ip_nat,ip_conntrack ip_tables              13636  2
>>>> iptable_filter,iptable_nat 
>>>> x_tables               13188  6
>>>> xt_state,ipt_MASQUERADE,xt_tcpudp,xt_physdev,iptable_nat,ip_tables
>>>> ipv6                  269056  14
>>>> 
>>>> Any ideas on how to proceed with troubleshooting this?
>>>> 
>>>> Thanks,
>>>> 
>>>> Steve Brueckner, ATC-NY
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  NAT for heritage iptables-1.2.10, Jeff Weber
Next by Date:  RE: Troubleshooting SNAT, Steve Brueckner
Previous by Thread:  Re: Troubleshooting SNAT, Matt Richards
Next by Thread:  RE: Troubleshooting SNAT, Steve Brueckner
Indexes:  [Date] [Thread] [Top] [All Lists]