[Gllug] Problems with postrouting and iptables

Simon A. Boggis simon at dcs.qmul.ac.uk
Sat Aug 23 00:37:00 UTC 2003 

On Fri, 2003-08-22 at 17:03, andy at mac1systems.com wrote:
> Hi,
> 
> I'm having problems getting my system to only translate the source when
> going to eth1, my public interface.  It seems to be doing it on the private
> side as well.
> 
> I have 213.232.87.0/29 on the public side and 192.168.24.0/22 on the
> private.
> 
> ipv4 forwarding is enabled.
> 
> Each 192.168.x.0 is its own class C with the linux box having ip aliases on
> the eth0 port.

It's a slightly odd set up IMvHO, but OTOH I can't think of a reason for
it not to "mostly" work ...

As I understand it you've got:
  $ netmask --range 192.168.24.0/22
     192.168.24.0-192.168.27.255  (1024)
but you've chosen to configure this one physical network as:
  192.168.24.0/24  
  192.168.25.0/24
  192.168.26.0/24
  192.168.27.0/24
with the router having an IP address on each /24 network by virtue of an
alias?

I'm not quite sure what you win by doing this over the (IMHO) simpler
and definitely working solution of just configuring it as one big
classless (CIDR) network 192.168.24.0/22 with a network address
192.168.24.0 and broadcast 192.168.27.255 and a single address for the
router.

The one thing I think you'll have trouble with is broadcasts: some IP
stacks won't respond to a broadcast if it is inconsistent with the
device config - for example:

  host 192.168.24.1 with /24 broadcasts to 192.168.24.255 but the router
  is configured as 192.168.27.254 with /22 so it thinks the broadcast
  address is 192.168.27.255, and _may_ ignore the traffic. MAC level 
  broadcasts will work, cos they know nothing about IP.

Of course, you may not care, and aside from this I think it should work
(:

But anyway, back to the problem at hand...

> Connections from 192.168.27.x to a public get correctly SNATed and it works
> a treat (and from the others).
> 
> But also connections from 192.168.27.x to 192.168.25.x are also being
> SNATed and look like they are coming from the gateway, which I don't want.
> 
> I have the following in my script to add rules.
> 
>     iptables -A FORWARD -s $LOCAL_NET -d $LOCAL_NET -j ACCEPT
> 
>     iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 213.232.87.50
> 
> I've looked at the output from iptables -L and it doesn't show the nat list
> at all and a specific iptables -L nat gives an error that the tables not
> known?

You need to be looking at another "table". Packet filtering is done in
the "filter" table (there is a presumption that "iptables -A..." means
"iptables -t filter -A ..."), but nat is done in the nat table, and you
can also do stuff in the mangle table. To get completely full listings
of every rule in your config you could do:

for I in filter nat mangle ; do iptables --line-numbers -t $I -nvL ;
done

Your SNAT rule looks similar to mine:

# iptables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 3839 packets, 261K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
 7094  417K SNAT       all  --  *      ppp+    10.0.0.0/8          
0.0.0.0/0          to:111.222.333.444

... except I specify the source address. What you've got really does
look OK to me, and I'd expect it to work, so there's either a bug you're
exercising, or there's something else wacky in your config.

I suspect the latter, given that it sounds like you couldn't "see" the
"nat" table - you might have inserted a ton of rules in there, and some
previously inserted rule is matching before the one you think. If you
run the above command a few times and look for the packet count on the
rule, you should see it increase as hosts send to the outside.

My one suggestion is to try making your rule more specific:

>     iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 213.232.87.50

becomes

iptables -t nat -A POSTROUTING -s 192.168.24.0/22 -d ! 192.168.24.0/22
-o eth1 -j SNAT --to-source 213.232.87.50

but this is an unsatisfactory answer since what say you have ought to
work.

You could post a link to the output of the above complete listing of all
rules in iptables, together with the output of "ip addr ls" and "ip
route ls table all" (or "ifconfig -a" and "route -n" if you don't have
the ip command).

Simon

-- 
----------------------------------------------------------------------
Dr Simon A. Boggis                                  Systems Programmer
Department of Computer Science,                     Tel. 020 7882 7522
Queen Mary, University of London, London E1 4NS UK. 
---- GPG public key <http://www.dcs.qmul.ac.uk/~simon/#publickey> ----


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list