[wellylug] iptables

Cliff Pratt enkidu at cliffp.com
Sat Mar 26 10:44:58 NZST 2005 

Jamie Baddeley wrote:
> Hi,
> 
> I'm trying to do some nat for my hosts on the Lan side. It's simple, I
> want to snat any lan hosts to my exterior address. In this case the
> exterior address is actually a vtun tunnel (i.e a device tun0)
> 
> I'm using this:
> 
> iptables -t nat -A POSTROUTING -o tun0  -s 192.168.91.0/24 -j SNAT --to-source 203.96.174.134	
> 
> and I've also tried this:
> 
> iptables -t nat -A POSTROUTING -s 192.168.91.0/24 -o tun0 -j MASQUERADE
> 
> But, based on looking at the output of tcpdump, things are not working -
> no NAT happening.  I'm stuffed if I know why. The only thing I can think
> of is that the tun0 interface for some reason is not actually positioned
> postrouting as far as iptables is concerned...
> 
> Has anyone seen this? Or is there another way to make iptables do the
> right thing?
> 
Is forwarding switched on?

That is, is /proc/sys/net/ipv4/ip_forwarding is set 1?

 From my limited experience, I'd say that MASQ is the way to 
since you are coming from one IP address to many.

Here's a chunk from my firewall, generated by Shorewall. 
Sorry about the line wrapping!

--------------------------------------
Chain PREROUTING (policy ACCEPT 35528 packets, 3439704 bytes)
     pkts      bytes target     prot opt in     out 
source               destination
     2305   167906 net_dnat   all  --  eth0   * 
0.0.0.0/0            0.0.0.0/0
    34509  3302106 loc_dnat   all  --  eth1   * 
0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 35325 packets, 2193418 bytes)
     pkts      bytes target     prot opt in     out 
source               destination
    40880  2759787 eth0_masq  all  --  *      eth0 
0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 33473 packets, 2154421 bytes)
     pkts      bytes target     prot opt in     out 
source               destination

Chain eth0_masq (1 references)
     pkts      bytes target     prot opt in     out 
source               destination
    11942   951494 MASQUERADE  all  --  *      * 
192.168.2.0/24       0.0.0.0/0
-----------------------------------------

There's a POSTROUTING grab-all rule with a target of 
eth0_masq and the eth0_masq rule just MASQUERADEds everything.

Cheers,

Cliff

More information about the wellylug mailing list