Source NAT
/dev/rob0
rob0 at gmx.co.uk
Sat Sep 3 22:29:54 CEST 2005
On Saturday 2005-September-03 14:28, ISC Jorge Ceron Galvan wrote:
> > > I currently have a situation that I am hoping iptables can
> > > resolve. The issue is that I need to NAT the source address based
> > > on the destination address. Is that possible with IPTables ?
> >
> > Trivial.
> >
> > > if dst = 1.1.1.1 src = 10.1.1.1
> >
> > iptables -vt nat -A POSTROUTING -d 1.1.1.1 -j SNAT -to 10.1.1.1
>
> why -vt?
>
> this rule confused me, I'm a begginer;
All the more reason to RTFM, as previously suggested. Hint: the -v
option to iptables does the same thing as does the -v option to most
other command line programs.
> what about
>
> iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -j SNAT --to 1.1.1.1
This is not what the OP said was wanted. That is SNAT based on the
source address, not the destination.
> iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.1/24 -j SNAT --to
> 1.1.1.1
Same thing, with the additional specification of output interface. You
can, of course, specify more matching options to limit the packets
selected by the rule. It *is* common to limit SNAT based upon source
address too.
> > > Can anyone give me any advice on completing that?
> >
> > "man iptables"
> >
> > Order matters. If you have a catchall SNAT rule before the specific
> > destination ones, the catchall is the one used.
> >
> > NAT != routing. If your SNAT'ed IP addresses need to go out
> > different interfaces, this won't work. See the LARTC HOWTO.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter
mailing list