RE: (newbie) SNAT woes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Some pepole have helped me off the list and even though it all looked
strange and I don't know what happened, it's working now!

> What you've missed is that tcpdump and other utilities work on different
> layers and if I'm not wrong (hopefully not) it's seeing the packets
> before the SNAT.

tcpdump works below ipfilter, so I see what comes out of the filter.

> Also, better to use MASQUERADE rather than SNAT for workstation access
> to the internet.

Why? ... what I have read made me beleive that SNAT was prefered when ever
possible, but I would be happy to hear something else.

Martin

> ____________________________________________
> George Vieira
> Systems Manager
> georgev@xxxxxxxxxxxxxxxxxxxxxx
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
>
> -----Original Message-----
> From: Martin Djernaes [mailto:martin@xxxxxxxxxxx]
> Sent: Friday, August 08, 2003 12:15 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: (newbie) SNAT woes
>
>
> Hi,
>
> I realise that you have seen mails like mine lots of time before, but I
> have spend hours reading howtos and googling for some hint as to why my
> very simple setup doesn't work.
>
> I have a simple box which just is suppose to do normal NATing of
> outgoing traffic so it uses the public IP address.
>
> I thought that I had it all setup right (that was at least what I
> understood from everything I read), so here is my nat table:
>
> # iptables -t nat -v -L
> Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 SNAT       all  --  any    eth1    anywhere
> anywhere           to:11.22.33.44
>
> Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Now if I ping an external IP address from another box on the "inside"
> and run "tcpdump -ni eth1" on the gateway box, I will see the source
> address being unchanged! (and I don't get an icmp echo reply back).
>
> So what did I miss? Isn't it just a oneliner to turn SNAT on?
>
> Martin
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux