On Thu, 2003-02-13 at 18:55, Peter Hurley wrote: > Is there an extension target that can be used in the PREROUTING chain of > nat and/or mangle to alter the incoming source ip address? Say something > in the form of... > > iptables -t nat -A PREROUTING -i eth1 -m mac --mac-source > xx.xx.xx.xx.xx.xx -j SRC_MANGLE --from_src 192.168.50.17/32 > You need to use -j SNAT on postrouting: iptables -t nat -A POSTROUTING -o eth0 -m mac --mac-source xx.xx.xx.xx.xx.xx -j SNAT --to-source 192.168.50.17 > The situation is this: a SNMP device accepts SNMP requests on two > separate ip addresses. One ip is fixed and private, the other is > dynamic/unknown. This device is on the outside of a private network > being SNAT'ed. The problem is that even though it receives SNMP > requests on the private ip address it replies with the other > dynamic/unknown ip address as the source. > > This means that ip_conntrack_core doesn't recognize the reply packet as > belonging to the previous outgoing request. > > Matching the reply packet is easy with the mac address which is fixed. > But I can't seem to get past that. Marking and using iproute2 won't > work since only ip_conntrack* knows the reply path. Mapping both > request and reply packets onto the same network (say 10.x.x.x) won't > work because the two SNMP addresses aren't simple > reflections/derivatives of each other (e.g., 192.168.50.17 and > xx.xx.72.116). > > Perhaps I'm missing something that already exists in the stock > netfilter? > > Thanks in advance, > > Peter Hurley > phurley@imaginexd.com
Attachment:
signature.asc
Description: This is a digitally signed message part
