[wellylug] iptables

[Cliff Pratt]

Ewen McNeill wrote:
> In message <1111747857.15666.11.camel at munter>, Jamie Baddeley writes:
> 
>>I'm trying to do some nat for my hosts on the Lan side. It's simple, I
>>want to snat any lan hosts to my exterior address. In this case the
>>exterior address is actually a vtun tunnel (i.e a device tun0)
>>
>>I'm using this:
>>iptables -t nat -A POSTROUTING -o tun0  -s 192.168.91.0/24 -j SNAT --to-source 
>>203.96.174.134	  
>>[but it doesn't work]
> 
> 
> If you don't do the SNAT what interface does the traffic go out on?  My
> guess would be that it doesn't go out the vtun, it goes out the default
> route, because the source address doesn't match the vtun end point
> and/or it's not being routed through vtun.
> 
> If vtun is anything like IPSec tunnels, etc, then I'd suspect that (a)
> you'll need to ensure the address matches what the tunnel is prepared to
> carry and (b) you'll have to do that before the routing decision is
> made.
> 
> If it were me I'd try putting that rule into the PREROUTING and see if
> that improves the routing decisions.  And/or look at iproute2's ability
> to set the src address.
> 
> At very least you need to confirm that the unnatted traffic is actually
> going out through the vtun before you can expect a POSTROUTING rule to
> have any effect.
> 
> Ewen
> 
> PS: I used GRE tunnels for a similar setup in my case because GRE
>     tunnels do not have any notion of what "belongs" on the tunnel, you
>     just route traffic through them.
> 
You can't SNAT in a PREROUTING rule. You use DNAT on 
PREROUTING rule, and he doesn't want to change the 
destination. For what he is doing I think he needs a 
MASQUERADE rule in the POSTROUTING chain of the nat table.

I'd forgotten about the routing. That's probably the answer.

Cheers,

Cliff