[wellylug] iptables
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Sun Mar 27 08:06:24 NZST 2005
In message <1111747857.15666.11.camel at munter>, Jamie Baddeley writes:
>I'm trying to do some nat for my hosts on the Lan side. It's simple, I
>want to snat any lan hosts to my exterior address. In this case the
>exterior address is actually a vtun tunnel (i.e a device tun0)
>
>I'm using this:
>iptables -t nat -A POSTROUTING -o tun0 -s 192.168.91.0/24 -j SNAT --to-source
>203.96.174.134
>[but it doesn't work]
If you don't do the SNAT what interface does the traffic go out on? My
guess would be that it doesn't go out the vtun, it goes out the default
route, because the source address doesn't match the vtun end point
and/or it's not being routed through vtun.
If vtun is anything like IPSec tunnels, etc, then I'd suspect that (a)
you'll need to ensure the address matches what the tunnel is prepared to
carry and (b) you'll have to do that before the routing decision is
made.
If it were me I'd try putting that rule into the PREROUTING and see if
that improves the routing decisions. And/or look at iproute2's ability
to set the src address.
At very least you need to confirm that the unnatted traffic is actually
going out through the vtun before you can expect a POSTROUTING rule to
have any effect.
Ewen
PS: I used GRE tunnels for a similar setup in my case because GRE
tunnels do not have any notion of what "belongs" on the tunnel, you
just route traffic through them.
More information about the wellylug
mailing list