Jan Engelhardt wrote: > On Wednesday 2010-06-16 17:09, Patrick McHardy wrote: > >> >> This works well, but is needlessly complicated for cases where only >> a single SNAT/DNAT mapping needs to be applied to these packets. In that >> case, all that needs to be done is to assign each network to a seperate >> zone and perform NAT as usual. However this doesn't work for packets >> destined for the machine performing NAT itself since its corrently not >> possible to configure SNAT mappings for the LOCAL_IN chain. >> >> Example usage with two identical networks (192.168.0.0/24) on eth0/eth1: >> >> # assign packets from each interface to a seperate zone and mark them for NAT >> >> iptables -t raw -A PREROUTING -i eth0 -j CT --zone 1 >> iptables -t raw -A PREROUTING -i eth0 -j MARK --set-mark 1 >> iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2 >> iptabels -t raw -A PREROUTING -i eth1 -j MARK --set-mark 2 >> >> # SNAT packets to private networks: eth0 -> 10.0.0.0/24, eth1 -> 10.0.1.0/24 >> >> iptables -t nat -A INPUT -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 >> iptables -t nat -A POSTROUTING -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 >> iptables -t nat -A INPUT -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 >> iptables -t nat -A POSTROUTING -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 >> > > I am not sure I follow whatever this is supposed to do. > > Packet from eth0: src=10.0.0.15 dst=10.0.1.22 > INPUT#NETMAP will dst transform that to dst=10.0.0.22 nat/INPUT performs source NAT, not destination NAT. > POSTROUTING#NETMAP will src transform that to src=10.0.0.15 > > Is is this step that makes no sense to me. Does it make sense now? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
