How do I SNAT in iptables

[PepUK]

So what am I doing wrong here, I have a g/way that is supposed to be protecting a private server from the internet by NAT'ing the public/private addresses.

The g/way has a alias for the public address running on its publlic i/face so the config is like this

PUB=x.x.x.101
PRV=y.y.y.101

I have a table this in my iptables

--table nat --append POSTROUTING --source $PRV --out-interface $INET_IFACE --jump SNAT --to-source $PUB

but it does not work

I have the following in my iptables for testing

--table mangle --append PREROUTING --source $PRV --jump LOG --log-prefix "PRV in mangle PREROUTING "

--table mangle --append FORWARD --source $PRV --jump LOG --log-prefix "PRV in mangle FORWARD "

--table mangle --append PREROUTING --source $PRV --jump LOG --log-prefix "PRV in mangle POSTROUTING "

--table nat --append POSTROUTING --source $PRV --jump LOG --log-prefix "PRV in nat POSTROUTING "

so I can clearly see in the log file that the private host is going all the way through the mangle table as I expect it to but it never ends up in the nat table and so never gets NAT'd to the public address to get out on to the internet :-(

Okay I know I have something wrong but what?

TIA,
Pep

 

[zeland]

Do you have your NAT module loaded? I use this in my iptables script and everything is fine.

/sbin/insmod iptable_nat
iptables -t nat -A POSTROUTING -o $EXT_IF -j SNAT --to-source $EXT_IP



--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[PepUK]

This is the output of my lsmod command

lsmod | grep nat
iptable_nat 22744 1 (autoclean)
ip_conntrack 29704 2 (autoclean) [ipt_state iptable_nat]
ip_tables 16544 10 [iptable_mangle ipt_limit ipt_multiport ipt_REJECT ipt_LOG ipt_state iptable_nat iptable_filter]

I notice that you do not have a --source operand in your iptables command?

It is that part that is not working for me, I need to set different public addresses for different private addresses, so that 192.168.0.1 would become x.x.x.1 and 192.168.0.2 would become x.x.x.2; etc.

I am assuming that this is possible with iptables as the command does not complain when I set it up and the manual suggests that this is legal?

 

[zeland]

I actually have 4 different server and a bunch of workstations behind my firewall. The line I posted didn't have a source address is because it's a catch-all rule used by my workstation; any machine other than my 4 servers will fall through the first 4 rules but will be caught at the last one, sharing 1 external address. Expanding the earlier line, I have:

iptables -t nat -A POSTROUTING -o $EXT -s $CITRIX1_INT -j SNAT --to-source $CITRIX1_EXT
iptables -t nat -A POSTROUTING -o $EXT -s $CITRIX2_INT -j SNAT --to-source $CITRIX2_EXT
iptables -t nat -A POSTROUTING -o $EXT -s $WEBMAIL_INT -j SNAT --to-source $WEBMAIL_EXT
iptables -t nat -A POSTROUTING -o $EXT -s $SHOWCASE_INT -j SNAT --to-source $SHOWCASE_EXT
iptables -t nat -A POSTROUTING -o $EXT -j SNAT --to-source $EXT_IP





--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--

 

[PepUK]

Thanks for the clarification. I did some further investigation at the w/e just to prove to myself that the --source operand was legal on the SNAT table and of course it is.

Which though all of this is intersting, still leaves me in the same position of not knowing why the rules are not working for me :-(

Thanks,
Pep.

 

[zeland]

If you were just to SNAT every thing that goes out of your network via a single address, does it work?

Also, have you aliased you NIC with the proper external addresses. Had a chap with me some weeks ago that was complaining that packets went out but none came back ...go figure.


--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--