LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-02-2006, 10:02 AM   #1
jdaniels73
LQ Newbie
 
Registered: Jul 2006
Posts: 16

Rep: Reputation: 0
Performing IPTABLES postrouting on virtual nic interface


Hi,

RHEL3 Update 4
Net-SNMP 5.3.0.1
IPTables 1.2.8

I am attempting to add iptables rules to enable a SNMP trap to appear as though it is from a virtual nic IP address. For example, I have 2 SNMP agents, running on ports 161 (default, using real IP address 192.168.1.10 on eth0) and 163 (second snmpd, using the virtual ip 192.168.1.11 on eth0:1) and I want traps from one to appear to be from a different IP to traps from the other.

I have tried the following rules:

# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0 -j SNAT --to-source 192.168.1.11
But of course that rewrites every bit of IP traffic

The I tried:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0:1 -j SNAT --to-source 192.168.1.11
But IPtables didn't like the ":" character

Next I tried to differentiate on source port, and that required a protocol:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol tcp --source-port 163 \
-j SNAT --to-source 192.168.1.11
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol udp --source-port 163 \
-j SNAT --to-source 192.168.1.11

This had no effect (possibly due to the way SNMP is based on top of existing protocols), so I wanted to base the distinction on source port alone but I cannot do this without specifying a protocol of either TCP or UDP.

So does anyone have any ideas as to how I can apply an IP address to this sort of traffic?

Many thanks,
Jon Daniels

Last edited by jdaniels73; 08-02-2006 at 10:07 AM.
 
Old 08-02-2006, 12:35 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by jdaniels73
Hi,

RHEL3 Update 4
Net-SNMP 5.3.0.1
IPTables 1.2.8

I am attempting to add iptables rules to enable a SNMP trap to appear as though it is from a virtual nic IP address. For example, I have 2 SNMP agents, running on ports 161 (default, using real IP address 192.168.1.10 on eth0) and 163 (second snmpd, using the virtual ip 192.168.1.11 on eth0:1) and I want traps from one to appear to be from a different IP to traps from the other.

I have tried the following rules:

# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0 -j SNAT --to-source 192.168.1.11
But of course that rewrites every bit of IP traffic

The I tried:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0:1 -j SNAT --to-source 192.168.1.11
But IPtables didn't like the ":" character

Next I tried to differentiate on source port, and that required a protocol:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol tcp --source-port 163 \
-j SNAT --to-source 192.168.1.11
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol udp --source-port 163 \
-j SNAT --to-source 192.168.1.11

This had no effect (possibly due to the way SNMP is based on top of existing protocols), so I wanted to base the distinction on source port alone but I cannot do this without specifying a protocol of either TCP or UDP.

So does anyone have any ideas as to how I can apply an IP address to this sort of traffic?

Many thanks,
Jon Daniels
hi, i think this is *sorta* what you want - i'm not sure i fully understand your needs:
Code:
iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.10 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.11 \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.10 \
-j SNAT --to-source $EXT_IP_REAL

iptables -t nat -A POSTROUTING -s 192.168.1.11 \
-j SNAT --to-source $EXT_IP_ALIAS
if you could elaborate a little further it would be great... you could start by stating why these rules i posted don't meet your requirements, then we could modify them accordingly...

Last edited by win32sux; 08-02-2006 at 12:43 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bonding a virtual interface frd4460 Linux - Networking 3 11-01-2013 03:48 PM
Iptables postrouting question phatboyz Linux - Networking 8 01-31-2005 01:58 PM
iptables POSTROUTING doesn't match local-process replies. bentz Linux - Networking 3 03-10-2004 06:34 PM
c code for routing dynamically (just like performing iptables rule) becky_starr Linux - Software 0 01-15-2004 03:55 AM
virtual interface eth0:0 irfanasim Linux - General 2 10-11-2002 11:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration