how to add iptables NAT exception

brgsousa · 05-20-2010, 02:56 PM

Hi everyone,
I'm having some trouble with NAT in my gateway.

For the 10.13.0.0/16 network, I do not want to apply NAT through the gateway. However, the way it is configured, it is applying SOURCE NAT to traffic coming from 10.13.0.0/16 and changing source ip address to 8.8.8.1
For example, pinging from 10.13.0.11 to 10.101.14.1 (passing through the gateway, which is also a router in this case), then SNAT is applied and the ip packet gets changed to :
--------------------------------
| source address : 8.8.8.1_____|
--------------------------------
| dest. address_ : 10.101.14.1 |
--------------------------------

NAT's configuration in gateway/router:

Code:

iptables -t nat -A POSTROUTING -d 8.8.8.0/24 -o $EXTERNAL -j RETURN
iptables -t nat -A POSTROUTING -d 10.0.0.0/8 -o $EXTERNAL -j RETURN
iptables -t nat -A POSTROUTING -o $EXTERNAL -j LOG

iptables -t nat -A POSTROUTING -s 10.11.0.0/16 -d ! 8.8.8.0/24 -j SNAT --to-source 8.8.8.41
iptables -t nat -A POSTROUTING -s 10.12.0.0/16 -d ! 8.8.8.0/24 -j SNAT --to-source 8.8.8.42

iptables -t nat -A POSTROUTING -d ! 8.8.8.0/24 -j SNAT --to-source 8.8.8.1

So, I don't want to apply SNAT to traffic comming from 10.13.0.0/16.
How can I add this SNAT exception?

Berhanie · 05-20-2010, 11:17 PM

I think you just need to put this rule above all the other nat POSTROUTING rules:

Code:

iptables -t nat -A POSTROUTING -s 10.13.0.0/16 -j ACCEPT

brgsousa · 05-26-2010, 11:57 AM

worked