is it possible to nat to the routed IP?

Zhen Zhou zhouzhenzj at gmail.com
Sun Dec 17 11:08:12 CET 2006 

On 12/16/06, Pascal Hambourg <pascal.mail at plouf.fr.eu.org> wrote:
> Hello,
>
> Rob Sterenborg a écrit :
> >>>
> >>>$ipt -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 \   -j
> >>>DNAT --to 192.168.2.208
> >
> >Zhen Zhou wrote:
> >>
> >>Now another issue is pop up:
> >>
> >>210.153.22.x is Internet gateway IP, 210.153.22.y is a public ip for
> >>publish 192.168.3.208. ofcs, from Internet traffic to 192.168.3.208,
> >>is go through 210.153.22.y. But in the another hand all the traffic
> >>from 192.168.3.208 to outside, it will go to 210.153.22.x, could it
> >>be a possible go via 210.153.22.y under some protocols? How to
> >>configure?
>
> Insert this kind of rule before the generic SNAT rule :
>
> $ipt -t nat -A POSTROUTING -o <interface> -s 192.168.2.208 -p <proto> \
>    [--dport <port>] -j SNAT --to 210.153.22.y
>
> [...]
> > A http connection is made to the server at destination port 80/tcp.
> > [...] So, return packets are coming from source port 80/tcp.
> > I think this is what you want:
> >
> > $ipt -t nat -A POSTROUTING -s 192.168.2.208 -p tcp --sport 80 \
> >   -j SNAT 210.153.22.y
>
> This rule is useless to handle HTTP return packets. Return packets are
> in the ESTABLISHED state and don't traverse the 'nat' chains.
>
> > Packets from 192.168.2.208:80 are SNAT-ed to 210.153.22.y
>
> Yes, but not because of this SNAT rule but because of the DNAT rule
> above and because stateful DNAT does implicit SNAT on return packets.
>

Thanks for your help, but the issue is still there, so I post what I
add iptables rules in the system then we could analyze where is the
issue:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state NEW -d 192.168.3.208 -p tcp
--dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -d 210.153.22.y -p tcp --dport 80 -j
DNAT --to 192.168.3.208
iptables -t nat -A POSTROUTING -o 210.153.22.y -s 192.168.3.208 -p tcp
--sport 80 -j SNAT --to 210.153.22.y

I assign:
ip addr add 210.153.22.y dev eth1 label eth1:1

in the another hand, I want to track the network link when I access
web to some sites, nothing show me via:
netstat -ant | grep 192.168.3.208
nothing .....

Maybe eth1:1 couldn't show on this way? is it?

Maybe that is the issue, but I couldn't find any idea how to deal, any tips, TIA

Zhou

More information about the netfilter mailing list