LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-25-2014, 06:58 PM   #1
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Rep: Reputation: Disabled
why isn't this SNAT rule being hit?


in the process of setting up strongswan for remote access VPN on a Linux router. clients are assigned ips in the 192.168.251.0/24 subnet. clients can connect in from the internet, and can access subnets behind the router. I have an iptables source NAT rule that translates traffic with source IP of 192.168.251.0/24 to the address of the external interface of the router. Clients can ping out to the internet, and iptables is successfully NATing the pings. However, any other kind of traffic doesn't get NATted; the router sends it out to the internet with the original 192.168.251.0 address, which of course is unroutable. This makes absolutely no sense; why is ping traffic NATted but everything else isn't?

Here is my NAT table. I am ACCEPTing traffic with destination port 4500 and source address of 192.168.251.0/24 in both my INPUT and FORWARD chains of the filter table.

Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


-A POSTROUTING -s 172.16.0.0/16 -o external -j MASQUERADE
-A POSTROUTING -s 10.11.12.0/24 -o external -j MASQUERADE
-A POSTROUTING -s 192.168.251.0/24 -o external -j SNAT --to-source 98.240.13.217
tcpdump on the external interface definitely shows VPN traffic exiting the router with private IPs of 192.168.251.x still intact, meaning the traffic isn't getting NATted. as well, "iptables -t nat -nvxL" shows the SNAT rule hut count staying at 0.

I have tried using MASQUERADE instead of SNAT for that last VPN subnet rule ("-A POSTROUTING -s 192.168.251.0/24 -o external -j MASQUERADE") which of course did not work either.
 
Old 07-25-2014, 08:51 PM   #2
psycroptic
Member
 
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349

Original Poster
Rep: Reputation: Disabled
so i ended up just doing a blanket masquerade on the external interface:

Code:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]


-A POSTROUTING -o external -j MASQUERADE
which behaves as intended.

any idea why the SNAT rule wasn't working?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Set up app as an init.d daemon, but it isn't running in background and stdout isn't blocked Abscissa256 Debian 1 02-14-2013 12:48 AM
[SOLVED] Snort - DynamicPlugin: Rule [##] not enabled in configuration, rule will not be used mhollis Linux - Software 3 08-29-2011 06:06 PM
Snat ashlesha Linux - Networking 4 08-24-2006 05:02 AM
SNAT help cranium2004 Linux - Networking 0 05-09-2005 03:38 AM
what is snat ? spank Linux - Newbie 5 12-15-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration