Dmitry Melekhov a écrit : > > I'm trying to do DNAT/SNAT on the same host with connmark and can't get > it working. > > My host has static ip 192.168.22.252 and it can get address > 192.168.22.99 from VRRP, so bind doesn't listen on 192.168.22.99, Why not ? > but if host got this address it has to answer on it the same as on > 192.168.22.252. > > So , if traffic goes to 192.168.22.99 port 53 udp, I need to redirect it > to 192.168.22.252:53, Not if you can have BIND to listen on 192.168.22.99 when your host gets the address. > and if it was to 192.168.22.99 host need to reply from this address. This is automatic with stateful destination NAT (DNAT). > DNAT part works: > > #mark > iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j > CONNMARK --set-mark 0x100 > > #restore mark inside connection > iptables -t mangle -A PREROUTING -d 192.168.22.99 -p udp --dport 53 -j > CONNMARK --restore-mark > > #do NAT > iptables -t nat -A PREROUTING -m mark --mark 0x100 -j DNAT > --to-destination 192.168.22.252 What a complicated setup. Why not just this : iptables -t nat -A PREROUTING -d 192.168.22.99 -p udp --dport 53 \ -j DNAT --to-destination 192.168.22.252 > But SNAT doesn't: > > #restore mark > iptables -A POSTROUTING -t mangle -j CONNMARK --restore-mark > > #do nat > iptables -t nat -A POSTROUTING -m mark --mark 0x100 -j SNAT --to-source > 192.168.22.99 > > I see that no packets hit rule: Of course not. Stateful NAT automatically takes care of reply packets and replaces addresses as expected by the original sender. Only the first packet of a new connection goes throught the chains of the nat table. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
