DNAT mangles source address too?
Linus Flannagan
linusf@netservices.eng.net
Mon, 17 Apr 2000 10:58:21 +0100 (BST)
Hello. I have a test box ["netbox"] (Red Hat 6.2, kernel 2.3.99pre5,
iptables 1.0.0) with two network interfaces: eth0 ["inside"] with IP
10.0.0.1 mask /8, eth1 ["outside"] with IP 192.168.219.1 mask /24.
I want to do port forwarding from the outside to specific machines and
ports on the inside. To start with, I have the simplest possible DNAT
configuration(?), which allows all machines on the outside to see all
ports and protocols from the machine 10.0.130.5 at 192.168.219.3:
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -d 192.168.219.3 -j DNAT --to-d 10.0.130.5
This works except that, to my surprise, 10.0.130.5 sees all its
connections coming from 10.0.0.1, and has no idea of the source IP of the
original traffic. Is this the correct behavior?
In order for logfiles on the internal machines to be of any use, I would
prefer if netbox would refrain from mangling the source addresses of
DNATed packets when it sends them out on eth0. Is there a way to stop
this happening? Assume that all inside machines will have 10.0.0.1 as
default gateway, so the opportunity to demangle will still be available.
If I really wanted source NATing as well, I don't see why I shouldn't be
required to add something like:
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -d 10.0.130.5 -j SNAT --to-s 10.0.0.1
in addition to the above. Am I missing something?
./linus