Solved

iptables SNAT to another eth ?

Posted on 2007-03-24
3
679 Views
Last Modified: 2013-12-23
Using SUSE ...

From the router .. I can do ping -I eth3 google.com .. and it works .. and I did this in iptables

iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64

so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !

x.x.x.x/30 dev eth1  proto kernel  scope link  src x.x.x.x
192.168.2.0/24 dev eth3  proto kernel  scope link  src 192.168.2.64
10.3.0.0/24 dev eth0  proto kernel  scope link  src 10.3.0.254
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.254
10.2.0.0/22 via 10.1.0.2 dev eth0
10.0.0.0/22 via 10.1.0.2 dev eth0
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via x.x.x.x dev eth1

:~> ip ro li table T3
192.168.2.0/24 dev eth3  scope link  src 192.168.2.64
default via 192.168.2.254 dev eth3

:~> ip ru li
dexter@GODZILLA:~> ip ru li
0:      from all lookup local
32765:  from 192.168.2.64 lookup T3
32766:  from all lookup main
32767:  from all lookup default

everything else works just fine .. but I want some ips to get through eth3 instead of eth1 !
0
Comment
Question by:patriciaeldridge
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 18857542
> so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !
You almost answered your question -A POSTROUTING means that this rule applies _after_ routing decision.  So that  '-o eth3' never matches your packet (remember that it matches a packet and doesn't route to eth3).
0
 

Author Comment

by:patriciaeldridge
ID: 18857568
well .. how should it look then ? :D .. I still didn't get it right ! :)
0
 
LVL 27

Accepted Solution

by:
Nopius earned 125 total points
ID: 18861710
Let's decide what we need. Possible cases:
1) If you need just route all traffic from single host 10.2.0.240 to all destinations via eth3
2) If you need to route all traffic from entire 10.2.0.0 network to all destiations via eth3
3) If you need to route traffic from either 1 host or entire network as in 1) 2) AND muasquerade it as going from 192.168.2.64 address.
4) You need to route or route+masquerade as in 1) 2) 3) but not to all destinations

If I'm guessing right,  you need a case 3) with a single IP.

Then you need to modify both iptables and routing tables.
1) Delete your old rule
iptables -t nat -D POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64
2) Create a new one:
iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j MASQUERADE
3) Now delete old routing rule.
ip rule del prio 32765
4) Add a new rule:
ip rule add from 10.2.0.240 table T3

0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question