Re: Change source address on incoming packets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2004-05-09 at 17:50, Joel Vosu wrote:
> I would need to be able to change the source address of incouming 
> packets. I have 2 different subnets, but I need the server to see the 
> packes from the 2nd subnet as coming from the 1st.
> in iptables it would be something like:
> iptables -A PREROUTING -t nat -s 2nd_subnet -j SNAT --to-source 
> local_machine
> but this is not possible because SNAT only works for outgoing packets in 
> POSTROUTING.
> Is there a way to get this to work other than adding a second router box 
> for NAT?
> I tried to do it like this:
> Added another IP address eth0:0 to the server,
> added rules:
> iptables -A PREROUTING -t nat -d eth0:0_ip -p tcp --dport server-port -j 
> DNAT --to-destination eth0_ip:server_port
> iptables -A POSTROUTING -t nat -d eth0_ip -p tcp --dport server_port -j 
> SNAT --to-source eth0:0_ip
> but when I check from: iptables -L -t nat -nv then the second rule does 
> not get used at all. I presume the pacet intended for local machine does 
> not traverse the outgoing part of the nat table.
<snip>
I haven't tried or fully thought through any of these but here are a few
of the thoughts which came to my mind.

You may see the local packets in the POSTROUTING chain but on interface
lo instead of eth0.

If that doesn't work, I wonder if you can use iproute2.  It can do
stateless NAT independent of iptables (i.e., the reply packets will know
nothing of the original NAT and will need to have rules applied to them,
too).  I believe that will alter the packet after it leaves the
PREROUTING chain of the nat table. I'm not sure which address the filter
table will see.

You may also be able to do it with an iproute2 routing rule.  They can
be used to tell the server which ip to use for the source.  I haven't
looked at the details of doing this in a while so I do not recall if it
will do what you want off the top of my head.

In a recent RedHat distribution, you can find the iproute2 documentation
in /usr/share/doc/iproute-2.4.7/ip-cref.ps.  There is also a slide show
about using it in the training section on http://iscs.sourceforge.net.

Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@xxxxxxxxxxxxx
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux