• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

iptables SNAT to another eth ?

Using SUSE ...

From the router .. I can do ping -I eth3 google.com .. and it works .. and I did this in iptables

iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64

so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !

x.x.x.x/30 dev eth1  proto kernel  scope link  src x.x.x.x
192.168.2.0/24 dev eth3  proto kernel  scope link  src 192.168.2.64
10.3.0.0/24 dev eth0  proto kernel  scope link  src 10.3.0.254
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.254
10.2.0.0/22 via 10.1.0.2 dev eth0
10.0.0.0/22 via 10.1.0.2 dev eth0
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via x.x.x.x dev eth1

:~> ip ro li table T3
192.168.2.0/24 dev eth3  scope link  src 192.168.2.64
default via 192.168.2.254 dev eth3

:~> ip ru li
dexter@GODZILLA:~> ip ru li
0:      from all lookup local
32765:  from 192.168.2.64 lookup T3
32766:  from all lookup main
32767:  from all lookup default

everything else works just fine .. but I want some ips to get through eth3 instead of eth1 !
0
patriciaeldridge
Asked:
patriciaeldridge
  • 2
1 Solution
 
NopiusCommented:
> so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !
You almost answered your question -A POSTROUTING means that this rule applies _after_ routing decision.  So that  '-o eth3' never matches your packet (remember that it matches a packet and doesn't route to eth3).
0
 
patriciaeldridgeAuthor Commented:
well .. how should it look then ? :D .. I still didn't get it right ! :)
0
 
NopiusCommented:
Let's decide what we need. Possible cases:
1) If you need just route all traffic from single host 10.2.0.240 to all destinations via eth3
2) If you need to route all traffic from entire 10.2.0.0 network to all destiations via eth3
3) If you need to route traffic from either 1 host or entire network as in 1) 2) AND muasquerade it as going from 192.168.2.64 address.
4) You need to route or route+masquerade as in 1) 2) 3) but not to all destinations

If I'm guessing right,  you need a case 3) with a single IP.

Then you need to modify both iptables and routing tables.
1) Delete your old rule
iptables -t nat -D POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64
2) Create a new one:
iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j MASQUERADE
3) Now delete old routing rule.
ip rule del prio 32765
4) Add a new rule:
ip rule add from 10.2.0.240 table T3

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now