SNAT from multiple interfaces with the same IP?
Patrick McHardy
kaber at trash.net
Sun Dec 4 16:31:59 CET 2005
Carl-Daniel Hailfinger wrote:
> Hi,
>
> some time ago, I read that netfilter is unable to perform SNAT
> for identical ranges on different interfaces.
>
> Scenario:
>
> eth0: 192.168.0.1/16
> eth1: 192.168.0.1/16
> eth2: 10.2.0.1/8
>
> iptables -t nat -A POSTROUTING -i eth0 -s 192.168.0.0/16 -j SNAT
> --to-source 10.0.0.0-10.0.255.255
> iptables -t nat -A POSTROUTING -i eth1 -s 192.168.0.0/16 -j SNAT
> --to-source 10.1.0.0-10.1.255.255
>
> Will that work or is connection tracking unable to differentiate
> between the 192.168/16 subnets on eth0 and eth1? My problem is
> that although the ranges on eth0 and eth1 are sparsely populated,
> some IPs exist in both networks. Communication between the networks
> on eth0 and eth1 is not necessary, I just want them to be able to
> communicate with the outside (on eth2).
I don't see why it wouldn't work, but you can't use -i in POSTROUTING
directly, you need to mark the packets or just SNAT unconditionally.
More information about the netfilter-devel
mailing list