Problems with SNAT
Patrick McHardy
kaber at trash.net
Fri Sep 15 09:08:08 CEST 2006
Yuriy Popyk wrote:
> Hello
>
> I have wrote this mail to netfilter at lists.netfilter.org but nobody
> answered,
> so can i ask you ?
>
>
> We have a lan with ips in private range
> Problem is described with a following pic
>
> ---------- ----------
> | PC2 |-----| R2 |
> ---------- ----------
> |
> |
> ---------- ----------
> | R1 |--------| PC1 |
> ---------- ----------
> |
> ----------
> | ISP |
> ----------
>
> R1 - router 1, linux
> R2 - router 2, ms windows 2000
> PC1 - pc 1, ms windows XP
> PC1 - pc 1, ms windows 2000
>
> when I'm trying to set SNAT on R1 for PC1
> # iptables -t nat -A POSTROUTING -s $pc1 -j SNAT --to-source $ip_to_isp
> it works
>
> but when I'm trying to set SNAT for PC2
> # iptables -t nat -A POSTROUTING -s $pc2 -j SNAT --to-source $ip_to_isp
> it fails
>
> tcpdump -nl -i $ISP_eth
> shows that R1 forwards packets from PC2 to outside world without NATing
> and in the same time packets from PC1 is NATed
Do the packets you're trying to NAT belong to a new connection
that is established by PC2?
Please post a tcpdump showing the problem and the relevant entries
from /proc/net/ip_conntrack.
More information about the netfilter-devel
mailing list