[wellylug] iptables
Ewen McNeill
wellylug at ewen.mcneill.gen.nz
Sun Mar 27 22:06:13 NZST 2005
In message <4245DE4B.40304 at cliffp.com>, Cliff Pratt writes:
>Ewen McNeill wrote:
>> In message <1111747857.15666.11.camel at munter>, Jamie Baddeley writes:
>>>I'm trying to do some nat for my hosts on the Lan side. It's simple, I
>>>want to snat any lan hosts to my exterior address. In this case the
>>>exterior address is actually a vtun tunnel (i.e a device tun0) [...]
>>
>> If it were me I'd try putting that rule into the PREROUTING and see if
>> that improves the routing decisions. And/or look at iproute2's ability
>> to set the src address.
>
>You can't SNAT in a PREROUTING rule.
Hmm, so you can't. That's unfortunate.
In that case iproute2 is almost certainly going to need to be involved.
It usually is for all non-trivial routing under Linux. You can force
the choice of a source address with iproute2, although it may be
sufficient to ensure the traffic is routed correctly then apply the NAT
through netfilter.
>For what he is doing I think he needs a MASQUERADE rule in the
>POSTROUTING chain of the nat table.
MASQUERADE is a poor-mans SNAT. It's intended solely for the situation
where the external address may change during the time the routing rule
is active -- and it deals with the problem by tearing down all
connections when the address changes. SNAT is recommend any time you
can be sure the external address won't change so that the connection
state survives the interfaces going up/down.
Ewen
More information about the wellylug
mailing list