Performing IPTABLES postrouting on virtual nic interface

jdaniels73 · 08-02-2006, 10:02 AM

Hi,

RHEL3 Update 4
Net-SNMP 5.3.0.1
IPTables 1.2.8

I am attempting to add iptables rules to enable a SNMP trap to appear as though it is from a virtual nic IP address. For example, I have 2 SNMP agents, running on ports 161 (default, using real IP address 192.168.1.10 on eth0) and 163 (second snmpd, using the virtual ip 192.168.1.11 on eth0:1) and I want traps from one to appear to be from a different IP to traps from the other.

I have tried the following rules:

# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0 -j SNAT --to-source 192.168.1.11
But of course that rewrites every bit of IP traffic

The I tried:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0:1 -j SNAT --to-source 192.168.1.11
But IPtables didn't like the ":" character

Next I tried to differentiate on source port, and that required a protocol:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol tcp --source-port 163 \
-j SNAT --to-source 192.168.1.11
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol udp --source-port 163 \
-j SNAT --to-source 192.168.1.11

This had no effect (possibly due to the way SNMP is based on top of existing protocols), so I wanted to base the distinction on source port alone but I cannot do this without specifying a protocol of either TCP or UDP.

So does anyone have any ideas as to how I can apply an IP address to this sort of traffic?

Many thanks,
Jon Daniels

win32sux · 08-02-2006, 12:35 PM

Quote:

Originally Posted by jdaniels73

Hi,

RHEL3 Update 4
Net-SNMP 5.3.0.1
IPTables 1.2.8

I am attempting to add iptables rules to enable a SNMP trap to appear as though it is from a virtual nic IP address. For example, I have 2 SNMP agents, running on ports 161 (default, using real IP address 192.168.1.10 on eth0) and 163 (second snmpd, using the virtual ip 192.168.1.11 on eth0:1) and I want traps from one to appear to be from a different IP to traps from the other.

I have tried the following rules:

# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0 -j SNAT --to-source 192.168.1.11
But of course that rewrites every bit of IP traffic

The I tried:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 -o eth0:1 -j SNAT --to-source 192.168.1.11
But IPtables didn't like the ":" character

Next I tried to differentiate on source port, and that required a protocol:
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol tcp --source-port 163 \
-j SNAT --to-source 192.168.1.11
# iptables -t nat -A POSTROUTING -s 192.168.1.10 --protocol udp --source-port 163 \
-j SNAT --to-source 192.168.1.11

This had no effect (possibly due to the way SNMP is based on top of existing protocols), so I wanted to base the distinction on source port alone but I cannot do this without specifying a protocol of either TCP or UDP.

So does anyone have any ideas as to how I can apply an IP address to this sort of traffic?

Many thanks,
Jon Daniels

hi, i think this is *sorta* what you want - i'm not sure i fully understand your needs:

Code:

iptables -P FORWARD DROP

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.10 \
-m state --state NEW -j ACCEPT

iptables -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s 192.168.1.11 \
-m state --state NEW -j ACCEPT

iptables -t nat -A POSTROUTING -s 192.168.1.10 \
-j SNAT --to-source $EXT_IP_REAL

iptables -t nat -A POSTROUTING -s 192.168.1.11 \
-j SNAT --to-source $EXT_IP_ALIAS

if you could elaborate a little further it would be great... you could start by stating why these rules i posted don't meet your requirements, then we could modify them accordingly...