Solved

iptables SNAT to another eth ?

Posted on 2007-03-24
3
668 Views
Last Modified: 2013-12-23
Using SUSE ...

From the router .. I can do ping -I eth3 google.com .. and it works .. and I did this in iptables

iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64

so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !

x.x.x.x/30 dev eth1  proto kernel  scope link  src x.x.x.x
192.168.2.0/24 dev eth3  proto kernel  scope link  src 192.168.2.64
10.3.0.0/24 dev eth0  proto kernel  scope link  src 10.3.0.254
10.1.0.0/24 dev eth0  proto kernel  scope link  src 10.1.0.254
10.2.0.0/22 via 10.1.0.2 dev eth0
10.0.0.0/22 via 10.1.0.2 dev eth0
169.254.0.0/16 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via x.x.x.x dev eth1

:~> ip ro li table T3
192.168.2.0/24 dev eth3  scope link  src 192.168.2.64
default via 192.168.2.254 dev eth3

:~> ip ru li
dexter@GODZILLA:~> ip ru li
0:      from all lookup local
32765:  from 192.168.2.64 lookup T3
32766:  from all lookup main
32767:  from all lookup default

everything else works just fine .. but I want some ips to get through eth3 instead of eth1 !
0
Comment
Question by:patriciaeldridge
  • 2
3 Comments
 
LVL 27

Expert Comment

by:Nopius
Comment Utility
> so .. the ip 10.2.0.240 should get routed through eth3 ! . but it doesn't !
You almost answered your question -A POSTROUTING means that this rule applies _after_ routing decision.  So that  '-o eth3' never matches your packet (remember that it matches a packet and doesn't route to eth3).
0
 

Author Comment

by:patriciaeldridge
Comment Utility
well .. how should it look then ? :D .. I still didn't get it right ! :)
0
 
LVL 27

Accepted Solution

by:
Nopius earned 125 total points
Comment Utility
Let's decide what we need. Possible cases:
1) If you need just route all traffic from single host 10.2.0.240 to all destinations via eth3
2) If you need to route all traffic from entire 10.2.0.0 network to all destiations via eth3
3) If you need to route traffic from either 1 host or entire network as in 1) 2) AND muasquerade it as going from 192.168.2.64 address.
4) You need to route or route+masquerade as in 1) 2) 3) but not to all destinations

If I'm guessing right,  you need a case 3) with a single IP.

Then you need to modify both iptables and routing tables.
1) Delete your old rule
iptables -t nat -D POSTROUTING -s 10.2.0.240 -o eth3 -j SNAT --to-source 192.168.2.64
2) Create a new one:
iptables -t nat -A POSTROUTING -s 10.2.0.240 -o eth3 -j MASQUERADE
3) Now delete old routing rule.
ip rule del prio 32765
4) Add a new rule:
ip rule add from 10.2.0.240 table T3

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now