Jan Engelhardt wrote:
On Wednesday 2008-11-26 23:57, Bryan Duff wrote:
Here is the rule:
conntrack -I --orig-src 192.168.10.10 --orig-dst 192.168.2.206 --reply-src
192.168.2.206 --reply-dst 192.168.2.204 -p udp --orig-port-src 5000
--orig-port-dst 7002 --reply-port-src 7002 --reply-port-dst 7000 -u ASSURED -t
60
192.168.10.10 is the phone in my LAN.
192.168.2.204 is the local WAN address.
192.168.2.206 is the remote address.
If that above rule is inserted, and I send traffic (that matches the rule) out
the WAN from the LAN, why would it not SNAT the rule on the way out (from
orig-src 192.168.10.10 to reply-dst 192.168.2.204)?
You just set up a NAT mapping and even marked it ASSURED,
so no further mapping modifications are accepted.
Wait. So I don't need to do anything else? It should work? Or is
there still something I'm not doing (like setting up --src-nat in the
conntrack -I command)? Because when the packet from 192.168.10.10 going
out eth1, is still has a source IP of 192.168.10.10 (and not 192.168.2.204).
I also assume that the SNAT rule below is ignored (when the conntrack
rule above is used).
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.10.1/24 -m realm --realm 1 -j
SNAT --to 192.168.2.204
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
