IPtables and SNAT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi

I am a newbie to iptables with NAT. My network setup is as shown below


                      linuxbox2 (192.x.y.a)
                                    |
    (194.160.1.1)             |
    linuxbox1(eth1)-------- Switch ----- ftpserver
    (192.x.y.b)

BOX1 and BOX2 are in VLAN tagging via switch. BOX1 is in a VLAN tag
with FTPserver. So BOX2 inorder to connect to the FTPserver should
route via BOX1 which should has to do POSTROUTING(SNAT) and send the
FTP packets to FTPserver.

eth1 interface is configured with 2 ip-addresses one public and one
private addresses.

All the traffic from BOX2 is routed to BOX1. I added following rules
in my iptables setup present in BOX1

    $IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -s 192.x.y.a -
j ACCEPT
    $IPTABLES -t mangle -A FORWARD -p tcp --dport 21 -s 192.x.y.a -m
conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -t nat -A POSTROUTING -s 192.x.y.a -p tcp --dport 21 -j
SNAT --to-source 194.160.1.1

If I ping from BOX2 to BOX1 it is working fine. If I try to perform
ftp to the Ftpserver then NAT table in iptables script present in BOX1
is invoked and ftp is not successfull.

If I do the tcpdump at eth1 I do see ftp packets coming from BOX2 to
BOX1 but no packets leaving from BOX1 to ftpserver.

    IP 192.x.y.a.45388 > 10.p.q.r.21(ftpserver): S
1380128644:1380128644(0)
    win 5840 <mss 1460,sackOK,timestamp 16897 0,nop,wscale 2>
    IP 192.x.y.a.45388 > 10.p.q.r.21: S 1380128644:1380128644(0)
    win 5840 <mss 1460,sackOK,timestamp 17647 0,nop,wscale 2>
    IP 192.x.y.a.45388 > 10.p.q.r.21: S 1380128644:1380128644(0)
    win 5840 <mss 1460,sackOK,timestamp 19147 0,nop,wscale 2>

Actually 3 packets are sent from BOX2 to BOX1. Counters for various
chains like prerouting, forward shows count as 3 while POSTROUTING
chain in NAT table shows a count of 1. But TCPDUMP doesnt show any
packet leaving to FTPSERVER.

So is the packet that entered the POSTROUTING chain dropped ??

**NOTE: All my IPTABLE rules should be based on ip-address but not on
interface as there is a chance of change in interface names but in ip-
addresses.**
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux