IPtables: SNAT not working
I am trying to setup SNAT on centos server. I want to change the source address of connections to 10.16.21.40.
I followed below documentation but it is not working. When I ping example google.com it dosen't contains 10.16.21.40. I tested with wire shark source IP doesn't contains 10.16.21.40. Please let me know how to fix this. http://www.netfilter.org/documentati...T-HOWTO-6.html I executed below commands. Code:
Edit /etc/sysctl.conf and change net.ipv4.ip_forward=0 to 1. less /etc/sysconfig/iptables Code:
# Generated by iptables-save v1.3.5 on Thu Aug 30 05:29:14 2012 |
Locally generated packets aren't processed by the nat POSTROUTING chain. You need to add the SNAT rule to the OUTPUT chain of the nat table.
Edit: Oh, and if you NAT outbound traffic behind a non-routable IP-address like 10.16.21.40, you will never see a reply. |
Quote:
10.16.21.40: I changed the real IP. This is just example IP. |
You just change "-A POSTROUTING" to "-A OUTPUT".
You may want to do some further reading of the netfilter documentation. It is quite important to be reasonably familiar with the basic concepts before configuring the firewall of any Internet connected system. |
Quote:
# iptables -t nat -A OUTPUT -o eth0 -j SNAT --to 10.16.21.40 iptables: Invalid argument. Run `dmesg' for more information. Note: I changed the original IP. |
You're absolutely right. The SNAT target is not supported in the OUTPUT chain, which means you can't change the source address of locally generated traffic.
You will have to assign the address to an interface on the server, and then bind the service/process in question to that IP. |
Quote:
Main : 10.16.21.40 Load balancer. server1 : 10.16.21.41 ->10.16.21.40 server2 : 10.16.21.42 ->10.16.21.40 I am trying to SNAT server1 and server2 to LB ip using below rule. But it is not working. iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.16.21.40 Note: All these are static IP's which are not in the same subnet. |
It's not possible to load balance with the SNAT target, and since the servers are not in the same subnet, using the iptables CLUSTERIP target won't work either. CLUSTERIP load balances a virtual IP address between a number of nodes in the same broadcast domain by means of multicast ARP, and a dedicated load balancer is not required.
Your scenario, however, does require a load balancer, which you already have. The load balancer will have to act as a reverse proxy, accepting HTTP requests for the site in question and redirecting them to a number of web servers. You can do this with a web server like Apache, or you can use a dedicated proxy server like Squid. (Or you can use lighttpd, nginx, Varnish, and probably a few other products as well, but I don't have links to reverse proxy documentation for those.) In short, iptables can't help you here, but a reverse proxy can. |
Quote:
|
All times are GMT -5. The time now is 02:52 PM. |