Am Freitag, 29. August 2014, 00:08:38 schrieb Pascal Hambourg: > Hello, > > Michael Schwartzkopff a écrit : > > For some special reasons I want to alter the IP address of outgoing > > packets > > that are generated locally to a secondary IP address on my machine. For a > > test I use the udp/echo service. Without any rules a tcpdump looks like > > this: > > > > 192.168.56.101 is the primary address of the echo server and 192.168.56.16 > > is the secondary address of the interface. > > > > 08:24:04.063987 IP 192.168.56.1.48462 > 192.168.56.16.echo: UDP, length 6 > > 08:24:04.064522 IP 192.168.56.101.echo > 192.168.56.1.48462: UDP, length 6 > > > > So I add the iptables rule: > > > > iptables -t nat -I POSTROUTING -p udp -s 192.168.56.101 --sport 7 \ > > > > -j SNAT --to-source 192.168.56.16 > > > > now tcpdump shows that no answer packet is sent out any more: > > > > 08:24:16.851095 IP 192.168.56.1.55362 > 192.168.56.16.echo: UDP, length 6 > > > > > > With iptables -t nat -L POSTROUTING I can see that the rule is hit since > > the counter increases. Also a iptables TRACE shows me that the rule is > > hit. No filter appears in the TRACE log. > > > > Any ideas where the packet vanished? > > Clash with an existing connection entry (the one created by the incoming > packet) -> source port changed or packet dropped. SNAT indeed alters the source port that is why the client does not recognizes the packet now. But I did not find any way not to alter the source port. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Attachment:
signature.asc
Description: This is a digitally signed message part.
