SNAT working problem(is that configuration problem?)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
on both Routers as both have eth0 directly connected.
Now,when i ping from HostA to HostB through Router1 and Router2,Router1 has to SNAT and it did and sends a ping to HostB with HostB receiving src ip of
ping packet as that Router1 but reverse pong packet from HostB to HostA does not changes src ip at Router2. why?
thats strange because Router1 changes srcip of Hosta to its ip 10.1.1.1 when ping packet is sent to hostB from HostA.
If the rules that i specified are not doing that thing then does that mean routers have default behaviour of changing source ip of outgoing packet?
Question: From HostA are you pinging HostB (172.16.1.100), or are you pinging Router2 (10.1.1.100)
You should be pinging Router2 and redirecting the ICMP echo request to HostB from Router2. Otherwise you will end up with routing rather than NAT at Router2.
If you make a default policy of "DROP" on inbound eth0, you shouldn't be able to ping HostB the way you are.
Hello Matir,
I have already "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines.
Hello SirGertrude,
From HostA(192.168.1.100) I am pinging HostB (172.16.1.100).
What i want Among Set 3 Networks whenever packet generated for HostB(172.16.1.100) At HostA(192.168.1.100) Router1 has to SNAT for Outgoing Packet from 192.168.1.100 to 10.1.1.1
Similarly, whenever packet generated for HostA(192.168.1.100) At HostB(172.16.1.100), Router2 has to SNAT for Outgoing Packet from 172.16.1.100 to 10.1.1.100
What should i do to achieve this? Because in my current configuartion only Ping originating Host's Router able to SNAT but nor for reply packet from otherside by other sides's Router. why?
This is not working directly to your host because you only have established and related connections accepted comming into your external interface (eth0) out your internal interface (eth1) so anything that tries to come in into host b will not be received originiting from host a because is initial traffic and not established and related
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
try creating a couple of addtional rules to test ICMP above this that says
and you also want this done on router B that says the same thing for the 172 address
actually that second rule is not needed since you are trying to ping it directly
as long as both routers have the routes for those networks, router 1 knows to forward 172 to router 2 and vice-versa
Last edited by sal_paradise42; 05-09-2005 at 10:29 PM.
Let me clarify my response. What you should be doing is NAT on both routers. What you are currently doing is NAT on Router1 and routing on Router2. In order for SNAT to occur, the packet must reach the NAT table, which falls after the CONNTRACK and MANGLE table. CONNTRACK keeps track of connections and their state. MANGLE usually just marks a packet.
2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 172.16.1.100)
3. Packet hits Router2, Router2 looks in routing table and finds network 172.16.1.0 is located on eth1. (Src: 10.1.1.1, Dst: 172.16.1.100)
4. Packet is routed to 172.16.1.100 and CONNTRACK marks it for its return. (Src: 10.1.1.1, Dst: 172.16.1.100)
5. HostB recives packet and replies. (Src: 172.16.1.100, Dst: 10.1.1.1)
6. Router2 receives packet and CONNTRACK looks at it FIRST. CONNTRACK recognizes the packet as the reply to the initial request and the packet is accepted to be further routed through the network. Neither the MANGLE nor NAT table even see the packet, therefore it will not go through SNAT process. (Src: 172.16.1.100, Dst: 10.1.1.1)
7. Router1 receives packet (checks CONNTRACK - nothing, checks NAT - sees entry awaiting packets return due to SNAT), then changes destination (DNAT) to HostA. (Src: 172.16.1.100, Dst: 10.1.1.1)
If you were to somehow rig Router2 to preform SNAT on the return packet, it would hit Router1 and be lost. This is because Router1 does not have an entry for a packet from 10.1.1.100, it only has an entry awaiting a packet from 172.16.1.100.
How to do what you want:
Use DNAT at Router2 to to froward ICMP echo requests to HostB (172.16.1.100), then ping Router2 rather than HostB and the ICMP echo request will hit HostB. Here are the steps the packet would take in this case:
2. Packet hits Router1, SNAT takes place for connection originating from within (new Src: 10.1.1.1, Dst: 10.1.1.100)
3. Packet hits Router2, Router2 looks at NAT table and finds DNAT entry for ICMP echo request. DNAT changes destination to HostB. (Src: 10.1.1.1, Dst: 172.16.1.100)
4. HostB receives packet and replies (Src: 172.16.1.100, Dst: 10.1.1.1)
5. Router2 receives packet and CONNTRACK looks at it FIRST - nothing, NAT - realizes that this is a response to a previous packet (Due to DNAT) and preforms SNAT. (Src: 10.1.1.100, Dst: 10.1.1.1)
6. Router1 receives packet and realizes that this connection was a result of previous SNATed connection and preforms DNAT to the original source. (Src: 10.1.1.100, Dst: 192.168.1.100)
Done. Neither Host knew who the other host really was. I hopes this makes sense
hello all,
Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Then i add MASQURADE Rule
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
As SirGertrude said its because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.