[wellylug] iptables

Jamie Baddeley wellylug at vpc.co.nz
Sun Mar 27 22:40:39 NZST 2005 

On Sun, 2005-03-27 at 22:06 +1200, Ewen McNeill wrote:
> In message <4245DE4B.40304 at cliffp.com>, Cliff Pratt writes:
> >Ewen McNeill wrote:
> >> In message <1111747857.15666.11.camel at munter>, Jamie Baddeley writes:
> >>>I'm trying to do some nat for my hosts on the Lan side. It's simple, I
> >>>want to snat any lan hosts to my exterior address. In this case the
> >>>exterior address is actually a vtun tunnel (i.e a device tun0) [...]
> >> 
> >> If it were me I'd try putting that rule into the PREROUTING and see if
> >> that improves the routing decisions.  And/or look at iproute2's ability
> >> to set the src address.
> >
> >You can't SNAT in a PREROUTING rule. 
> 
> Hmm, so you can't.  That's unfortunate.
> 
> In that case iproute2 is almost certainly going to need to be involved.
> It usually is for all non-trivial routing under Linux.  You can force
> the choice of a source address with iproute2, although it may be
> sufficient to ensure the traffic is routed correctly then apply the NAT
> through netfilter.

I've already done most of the stuff you guys have mentioned. FWIW, the
destination hosts are routed down the tunnel anyway, so regardless of
whether I nat or not, it goes down the tunnel.

I'll try messing around with iproute2 and src addresses and stuff and
report back.

It's most odd.

> 
> >For what he is doing I think he needs a MASQUERADE rule in the 
> >POSTROUTING chain of the nat table.
> 
> MASQUERADE is a poor-mans SNAT.  It's intended solely for the situation
> where the external address may change during the time the routing rule
> is active -- and it deals with the problem by tearing down all
> connections when the address changes.  SNAT is recommend any time you
> can be sure the external address won't change so that the connection
> state survives the interfaces going up/down.

I'd argue that use of masquerade in this case is reasonable, and the
actual establishment of the interface is dependent of systems outside of
this one, so theres no guarantee it'll stand up. anyway...



Cheers for the advice lads. I'll give it a crack.

jamie
-- 
Jamie Baddeley <wellylug at vpc.co.nz>

More information about the wellylug mailing list