LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPtables: SNAT not working (https://www.linuxquestions.org/questions/linux-security-4/iptables-snat-not-working-4175424821/)

batman2277 08-30-2012 01:02 PM
IPtables: SNAT not working
 
I am trying to setup SNAT on centos server. I want to change the source address of connections to 10.16.21.40.

I followed below documentation but it is not working. When I ping example google.com it dosen't contains 10.16.21.40. I tested with wire shark source IP doesn't contains 10.16.21.40. Please let me know how to fix this.

http://www.netfilter.org/documentati...T-HOWTO-6.html
I executed below commands.
Code:
Edit  /etc/sysctl.conf and change net.ipv4.ip_forward=0 to 1.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.16.21.40

/etc/init.d/iptables save

/etc/init.d/iptables restart


less /etc/sysconfig/iptables

Code:
# Generated by iptables-save v1.3.5 on Thu Aug 30 05:29:14 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [94:12812]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Aug 30 05:29:14 2012
# Generated by iptables-save v1.3.5 on Thu Aug 30 05:29:14 2012
*nat
:PREROUTING ACCEPT [517:64229]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j SNAT --to-source 10.16.21.40
COMMIT
# Completed on Thu Aug 30 05:29:14 2012

Ser Olmy 08-30-2012 02:21 PM
Locally generated packets aren't processed by the nat POSTROUTING chain. You need to add the SNAT rule to the OUTPUT chain of the nat table.

Edit: Oh, and if you NAT outbound traffic behind a non-routable IP-address like 10.16.21.40, you will never see a reply.

batman2277 08-30-2012 02:56 PM
Quote:
Originally Posted by Ser Olmy (Post 4768526)
Locally generated packets aren't processed by the nat POSTROUTING chain. You need to add the SNAT rule to the OUTPUT chain of the nat table.

Edit: Oh, and if you NAT outbound traffic behind a non-routable IP-address like 10.16.21.40, you will never see a reply.
Thanks for your reply. How can I add the SNAT rule to the OUTPUT chain of the nat table. I am testing from my PC using wire shark. But its same. The source IP doesn't contains 10.16.21.40.

10.16.21.40: I changed the real IP. This is just example IP.

Ser Olmy 08-31-2012 04:17 AM
You just change "-A POSTROUTING" to "-A OUTPUT".

You may want to do some further reading of the netfilter documentation. It is quite important to be reasonably familiar with the basic concepts before configuring the firewall of any Internet connected system.

batman2277 08-31-2012 07:24 AM
Quote:
Originally Posted by Ser Olmy (Post 4768966)
You just change "-A POSTROUTING" to "-A OUTPUT".

You may want to do some further reading of the netfilter documentation. It is quite important to be reasonably familiar with the basic concepts before configuring the firewall of any Internet connected system.
I am getting error message. What is the correct rule. I want to change all outgoing connection source ip's to example this 10.16.21.40.

# iptables -t nat -A OUTPUT -o eth0 -j SNAT --to 10.16.21.40
iptables: Invalid argument. Run `dmesg' for more information.

Note: I changed the original IP.

Ser Olmy 08-31-2012 07:37 AM
You're absolutely right. The SNAT target is not supported in the OUTPUT chain, which means you can't change the source address of locally generated traffic.

You will have to assign the address to an interface on the server, and then bind the service/process in question to that IP.

batman2277 08-31-2012 07:56 AM
Quote:
Originally Posted by Ser Olmy (Post 4769136)
You're absolutely right. The SNAT target is not supported in the OUTPUT chain, which means you can't change the source address of locally generated traffic.

You will have to assign the address to an interface on the server, and then bind the service/process in question to that IP.
I have three servers. One server acts as load balancer. I want to NAT other servers to LB IP. How can I achieve this.

Main : 10.16.21.40 Load balancer.
server1 : 10.16.21.41 ->10.16.21.40
server2 : 10.16.21.42 ->10.16.21.40

I am trying to SNAT server1 and server2 to LB ip using below rule. But it is not working.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.16.21.40

Note: All these are static IP's which are not in the same subnet.

Ser Olmy 08-31-2012 12:18 PM
It's not possible to load balance with the SNAT target, and since the servers are not in the same subnet, using the iptables CLUSTERIP target won't work either. CLUSTERIP load balances a virtual IP address between a number of nodes in the same broadcast domain by means of multicast ARP, and a dedicated load balancer is not required.

Your scenario, however, does require a load balancer, which you already have. The load balancer will have to act as a reverse proxy, accepting HTTP requests for the site in question and redirecting them to a number of web servers. You can do this with a web server like Apache, or you can use a dedicated proxy server like Squid. (Or you can use lighttpd, nginx, Varnish, and probably a few other products as well, but I don't have links to reverse proxy documentation for those.)

In short, iptables can't help you here, but a reverse proxy can.

batman2277 08-31-2012 02:44 PM
Quote:
Originally Posted by Ser Olmy (Post 4769350)
It's not possible to load balance with the SNAT target, and since the servers are not in the same subnet, using the iptables CLUSTERIP target won't work either. CLUSTERIP load balances a virtual IP address between a number of nodes in the same broadcast domain by means of multicast ARP, and a dedicated load balancer is not required.

Your scenario, however, does require a load balancer, which you already have. The load balancer will have to act as a reverse proxy, accepting HTTP requests for the site in question and redirecting them to a number of web servers. You can do this with a web server like Apache, or you can use a dedicated proxy server like Squid. (Or you can use lighttpd, nginx, Varnish, and probably a few other products as well, but I don't have links to reverse proxy documentation for those.)

In short, iptables can't help you here, but a reverse proxy can.
The content is not only http but has rtmp. Its hard to manage rtmp with reverse proxy. So there are no rules in the IPtables which mask the IP's of the outgoing connections.


All times are GMT -5. The time now is 02:52 PM.