Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am trying to setup SNAT on centos server. I want to change the source address of connections to 10.16.21.40.
I followed below documentation but it is not working. When I ping example google.com it dosen't contains 10.16.21.40. I tested with wire shark source IP doesn't contains 10.16.21.40. Please let me know how to fix this.
Locally generated packets aren't processed by the nat POSTROUTING chain. You need to add the SNAT rule to the OUTPUT chain of the nat table.
Edit: Oh, and if you NAT outbound traffic behind a non-routable IP-address like 10.16.21.40, you will never see a reply.
Thanks for your reply. How can I add the SNAT rule to the OUTPUT chain of the nat table. I am testing from my PC using wire shark. But its same. The source IP doesn't contains 10.16.21.40.
10.16.21.40: I changed the real IP. This is just example IP.
Last edited by batman2277; 08-30-2012 at 03:21 PM.
You may want to do some further reading of the netfilter documentation. It is quite important to be reasonably familiar with the basic concepts before configuring the firewall of any Internet connected system.
You may want to do some further reading of the netfilter documentation. It is quite important to be reasonably familiar with the basic concepts before configuring the firewall of any Internet connected system.
I am getting error message. What is the correct rule. I want to change all outgoing connection source ip's to example this 10.16.21.40.
# iptables -t nat -A OUTPUT -o eth0 -j SNAT --to 10.16.21.40
iptables: Invalid argument. Run `dmesg' for more information.
You're absolutely right. The SNAT target is not supported in the OUTPUT chain, which means you can't change the source address of locally generated traffic.
You will have to assign the address to an interface on the server, and then bind the service/process in question to that IP.
You're absolutely right. The SNAT target is not supported in the OUTPUT chain, which means you can't change the source address of locally generated traffic.
You will have to assign the address to an interface on the server, and then bind the service/process in question to that IP.
I have three servers. One server acts as load balancer. I want to NAT other servers to LB IP. How can I achieve this.
I am trying to SNAT server1 and server2 to LB ip using below rule. But it is not working.
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.16.21.40
Note: All these are static IP's which are not in the same subnet.
Last edited by batman2277; 08-31-2012 at 08:00 AM.
It's not possible to load balance with the SNAT target, and since the servers are not in the same subnet, using the iptables CLUSTERIP target won't work either. CLUSTERIP load balances a virtual IP address between a number of nodes in the same broadcast domain by means of multicast ARP, and a dedicated load balancer is not required.
Your scenario, however, does require a load balancer, which you already have. The load balancer will have to act as a reverse proxy, accepting HTTP requests for the site in question and redirecting them to a number of web servers. You can do this with a web server like Apache, or you can use a dedicated proxy server like Squid. (Or you can use lighttpd, nginx, Varnish, and probably a few other products as well, but I don't have links to reverse proxy documentation for those.)
In short, iptables can't help you here, but a reverse proxy can.
It's not possible to load balance with the SNAT target, and since the servers are not in the same subnet, using the iptables CLUSTERIP target won't work either. CLUSTERIP load balances a virtual IP address between a number of nodes in the same broadcast domain by means of multicast ARP, and a dedicated load balancer is not required.
Your scenario, however, does require a load balancer, which you already have. The load balancer will have to act as a reverse proxy, accepting HTTP requests for the site in question and redirecting them to a number of web servers. You can do this with a web server like Apache, or you can use a dedicated proxy server like Squid. (Or you can use lighttpd, nginx, Varnish, and probably a few other products as well, but I don't have links to reverse proxy documentation for those.)
In short, iptables can't help you here, but a reverse proxy can.
The content is not only http but has rtmp. Its hard to manage rtmp with reverse proxy. So there are no rules in the IPtables which mask the IP's of the outgoing connections.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
