Discussion:
SNAT problem with alias IP
Paolo Tezza
2014-08-01 08:00:32 UTC
Permalink
Hi all

I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
I have 8 public IP I can use on WAN's nic (eth0)

so I configured some alias on eth0:
eth0 x.x.x.234 Mask:255.255.255.248
eth0:0 x.x.x.235 Mask:255.255.255.248
eth0:1 x.x.x.237 Mask:255.255.255.248
eth0:2 x.x.x.238 Mask:255.255.255.248

eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0

eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0


I have added this iptables rule that work like a charm
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234

both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP


Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
so I add the rule ABOVE the first one
iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
--to-source x.x.x.238



The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
not x.x.x.238

Some hint?

thanks


Paolo
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Anton Danilov
2014-08-01 17:48:18 UTC
Permalink
Hello, Paolo.

After adding of new nat rule, you should remove the existed conntrack
entries of 192.168.1.201 flows. Otherwise this flows will keep use the
existed entries with ...234 external address.
Post by Paolo Tezza
Hi all
I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
I have 8 public IP I can use on WAN's nic (eth0)
eth0 x.x.x.234 Mask:255.255.255.248
eth0:0 x.x.x.235 Mask:255.255.255.248
eth0:1 x.x.x.237 Mask:255.255.255.248
eth0:2 x.x.x.238 Mask:255.255.255.248
eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
I have added this iptables rule that work like a charm
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
so I add the rule ABOVE the first one
iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
--to-source x.x.x.238
The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
not x.x.x.238
Some hint?
thanks
Paolo
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Paolo Tezza
2014-08-04 07:26:57 UTC
Permalink
you hit the point!!
thank you so much
Post by Anton Danilov
Hello, Paolo.
After adding of new nat rule, you should remove the existed conntrack
entries of 192.168.1.201 flows. Otherwise this flows will keep use the
existed entries with ...234 external address.
Post by Paolo Tezza
Hi all
I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
I have 8 public IP I can use on WAN's nic (eth0)
eth0 x.x.x.234 Mask:255.255.255.248
eth0:0 x.x.x.235 Mask:255.255.255.248
eth0:1 x.x.x.237 Mask:255.255.255.248
eth0:2 x.x.x.238 Mask:255.255.255.248
eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
I have added this iptables rule that work like a charm
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
so I add the rule ABOVE the first one
iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
--to-source x.x.x.238
The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
not x.x.x.238
Some hint?
thanks
Paolo
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...