Writing a POSTROUTING SNAT rule

Frank Bulk frnkblk at iname.com
Wed Nov 1 13:49:33 CET 2006 

I'm try again, as nobody tackled this one the first time around.

The problem I'm having is that a POSTROUTING SNAT rule I have sometimes
spits out packets with a source port. I don't claim it to be a bug, but I
googled around and I found this discussed in two different threads:
  http://marc.theaimsgroup.com/?l=netfilter&m=114303032503010&w=2
  http://lists.netfilter.org/pipermail/netfilter/2004-March/051044.html

The scenario: I have two DHCP servers, one with IP address a.b.c.22 and the
other with a.b.c.23.  These are set up in redundant form, such that if one
fails the other takes over.  The master and floating IP address, much like
VRRP, is a.b.c.24.  My DHCP relays point to this IP address.  

The DHCP response packets have been given a rule to replace their source
address from the .22 or .23 to the correct .24.  When the DHCP relay was
using a UDP src/dst port of 68/67 we had no problems, with just some of the
DHCP ACKs using a source port of 1.  That was marginally acceptable, but the
problem quick grew out of hand started when our DHCP relay started using a
UDP src/dst port of 67/67.  Now most DHCP Offers and ACKs have a source port
of 1.

The NAT table has this rule:
	-A POSTROUTING -s a.b.c.22 -p udp -m udp --sport 67 -j SNAT
--to-source a.b.c.24 


And here's the output of iptables-save:
# Generated by iptables-save v1.2.11 on Mon Oct 30 21:51:38 2006
*nat
:PREROUTING ACCEPT [692:279420]
:POSTROUTING ACCEPT [1696:186148]
:OUTPUT ACCEPT [2070:309673]
-A POSTROUTING -s a.b.c.22 -o eth0 -p udp -m udp --sport 67 -j SNAT
--to-source a.b.c.24 
COMMIT
# Completed on Mon Oct 30 21:51:38 2006

Here's the relevant portion of my ifconfig:

server1:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:E0:81:64:B2:B1  
          inet addr:a.b.c.22  Bcast:a.b.c.255  Mask:255.255.255.0
          inet6 addr: fe80::2e0:81ff:fe64:b2b1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:790809 errors:0 dropped:0 overruns:0 frame:0
          TX packets:263333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:89577696 (85.4 Mb)  TX bytes:71876862 (68.5 Mb)
          Interrupt:20 Base address:0x7000 

eth0:0    Link encap:Ethernet  HWaddr 00:E0:81:64:B2:B1  
          inet addr:a.b.c.24  Bcast:a.b.c.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:20 Base address:0x7000 

Any ideas how to rewrite the POSTROUTING rule so that this works correctly?

Regards,

Frank

More information about the netfilter mailing list