Re: SNAT based on MAC before routing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

As far as I know you cannot do SNAT in PREROUTING.

If I understand your situation correctly what you can do
is to mark the packets like you do below and route them
with iproute2 according to that mark and at the very
end of the packet flow in your linux box you can SNAT based
on the MAC:

1) When the packet arrives:
iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j MARK --set-mark 1

2) Use the mark to route the packet through the right interface:
ip rule add  fwmark 1 table 7

3) SNAT the packet right before it leaves the linux box:
iptables -t nat -A POSTROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j SNAT --to a.b.c.d


Ramin

On Wed, Nov 20, 2002 at 08:09:17PM +0100, Eduard Calvo (B-teljpa) EXP JAN 03 wrote:

>  
>   Hi gurus, 
>  
>   I need a way to do SNAT based on source mac before routing. This is because 
> hosts attached to my gateway can have duplicate IP addresses, and I have to 
> distinguish over them.  
>  
>   I tried to use the nat tool that comes with iproute2, but this force to make 
> a mapping only address to address, and I wanted to do it by mark (I also use 
> iptables to do that). For example, I tried to do that: 
>   
>   iptables -t mangle -A PREROUTING -m mac --mac-source XX:XX:XX:XX:XX:XX -j 
> MARK --set-mark 1 
>   ip rule add fwmark 1 nat to a.b.c.d lookup table <table> 
>  
>   And so I also did: 
>  
>   ip route add nat a.b.c.d via e.f.g.h 
>   (where e.f.g.h. is the IP associated with mac XX:XX:XX:XX:XX:XX) 
>  
>   This doesn't work. 
>  
>   I also tried to do a loop with the packets, forwarding them for the first 
> time through the loopback interface (doing SNAT in POSTROUTING with iptables) 
> and routing correctly for the next time they come (having passed through lo). 
> I do this marking the packets coming from lo interface, and having an 
> according ip rule that force them to go through the correct output interface 
> (let be eth1). This way, I would want to be able to make a diferent routing 
> policy for each host (because de nat'ed address is different from each other). 
> The only thing I observe is a funny looping that makes packets go round my box 
> until they die (TTL=0). 
>  
>   Can someone help me, please? 
>   Thanks in advance, and excuse my long mail. 
>  
>                                                Eduard. 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux