iptables SNAT and DNAT on same packets

Hi folks,

I'm trying to create a NAT box that will rewrite both source and
destination IP addresses for certain traffic streams. According to
various bits of documentation that I can find, I should be able to
apply a DNAT rule and an SNAT rule to the same packets. Unfortunately
it doesn't appear to work for me.

Problem:
Client cannot directly reach server

Solution:
Use intermediate NAT box on a network that can see both client
and server

Detail:
Client: 10.1.20.24
NAT box: 10.1.77.3 - but see notes (below)
Server: 10.7.9.1

The NAT box has a "real" IP address 10.1.1.106, is running as a bridge
(as configured with brctl), and in this scenario has a preferred
target IP address 10.1.77.3 assigned to br0:3

All networks are using 16 bit netmask (255.255.0.0), so 10.1 is a
different network to 10.7

NAT box configuration:

# Rewrite NAT Box destination address to that of the real Server
#
iptables -A PREROUTING -t nat -d 10.1.77.3 -j DNAT --to-destination
10.7.1.9

# Rewrite Client source address to that of the NAT Box
#
iptables -A POSTROUTING -t nat -d 10.7.1.9 -j SNAT --to-source
10.1.77.3

Result:
Running tcpdump on the target shows that the client's packets are
arriving, so the DNAT rule has worked. Unfortunately the packets
have the client's IP address, so the SNAT rule has failed.

Suggestions anyone, please?

Thanks,
Chris

In uk.comp.os.linux chris-(E-Mail Removed) wrote:
> I'm trying to create a NAT box that will rewrite both source and
> destination IP addresses for certain traffic streams.

> iptables -A PREROUTING -t nat -d 10.1.77.3 -j DNAT --to-destination
> 10.7.1.9

> iptables -A POSTROUTING -t nat -d 10.7.1.9 -j SNAT --to-source
> 10.1.77.3

As much as I hate following up my own post, apparently the reason it
doesn't work is because I'm running a 2.6.12.1 kernel. The rules work
perfectly under 2.6.10.

Chris

Hmmm...

chris-(E-Mail Removed) wrote:
> In uk.comp.os.linux chris-(E-Mail Removed) wrote:
> As much as I hate following up my own post, apparently the reason it
> doesn't work is because I'm running a 2.6.12.1 kernel. The rules work
> perfectly under 2.6.10.

I'm not sure what's going on there, but one thing you might do is
insert LOG rules into the POSTROUTING chain to see what the packets
look like before and after your SNAT rule. Also what does "ip route
show" give you?

G

I wrote:
> Apparently the reason it [iptables SNAT/DNAT] doesn't work is because
> I'm running a 2.6.12.1 kernel. The rules work perfectly under 2.6.10.


In comp.os.linux.networking gg-(E-Mail Removed) wrote:
> I'm not sure what's going on there, but one thing you might do is
> insert LOG rules into the POSTROUTING chain to see what the packets
> look like before and after your SNAT rule.

DNAT and SNAT rewrites both terminate the processing chain, so it's not
possible to log the packet addresses this way. However, what I had done
before posting is to use a number of tcpdump processes to watch what
was going on.

Here are the rules (for brevity, I've omitted some fields, which in all
cases are: prot=all, opt=--, in=*, out=*):

| Chain PREROUTING (policy ACCEPT 81366 packets, 17M bytes)
| pkts bytes target source destination
| 0 0 DNAT 0.0.0.0/0 10.1.1.105 to:192.168.130.103
|
| Chain POSTROUTING (policy ACCEPT 15975 packets, 5766K bytes)
| pkts bytes target source destination
| 44229 7144K ACCEPT 10.0.0.0/8 10.0.0.0/8
| 2645 164K SNAT 192.168.128.0/21 0.0.0.0/0 to:10.1.1.105

There are three boxes C (client), N (nat box), S (server). Pinging S
from C via N shows that C's source IP address is present, but the packet
has been correctly routed to S. Obviously the replies then go AWOL
because S can't route to C. The same happens for non-ICMP traffic.


> Also what does "ip route show" give you?

| 192.168.133.14 dev tun0 proto kernel scope link src 192.168.133.13
| 192.168.128.0/21 via 192.168.133.14 dev tun0
| 10.1.0.0/16 dev br0 proto kernel scope link src 10.1.1.106
| default via 10.1.254.254 dev br0

To give you the context, C is on the network 192.168.128.0/21, and S is
on 10.1.0.0/16

Chris

Hello,

chris-(E-Mail Removed) wrote:
> Here are the rules (for brevity, I've omitted some fields, which in all
> cases are: prot=all, opt=--, in=*, out=*):
>
> | Chain PREROUTING (policy ACCEPT 81366 packets, 17M bytes)
> | pkts bytes target source destination
> | 0 0 DNAT 0.0.0.0/0 10.1.1.105 to:192.168.130.103

Well, that's kind of interesting. Apparently the DNAT rule isn't being
triggered at all. Are you using 10.1.1.105 as the destination address
from C? That would at least account for the correct routing to S.


> | Chain POSTROUTING (policy ACCEPT 15975 packets, 5766K bytes)
> | pkts bytes target source destination
> | 44229 7144K ACCEPT 10.0.0.0/8 10.0.0.0/8
> | 2645 164K SNAT 192.168.128.0/21 0.0.0.0/0 to:10.1.1.105

On the other hand, the SNAT rule is being triggered. Kind of weird, eh?
I don't suppose you have ebtables mixed into this?

G

> | Chain PREROUTING (policy ACCEPT 81366 packets, 17M bytes)
> | pkts bytes target source destination
> | 0 0 DNAT 0.0.0.0/0 10.1.1.105 to:192.168.130.103

In comp.os.linux.networking gg-(E-Mail Removed) wrote:
> Well, that's kind of interesting. Apparently the DNAT rule isn't being
> triggered at all. Are you using 10.1.1.105 as the destination address
> from C? That would at least account for the correct routing to S.

Yes, that's correct. A, on network 192.168.128/21, knows that to get to
C on network 10.1.0.0/16 it has to go via the NAT box B. But S doesn't
know about the 192.168.128/21 network, hence the need for SNAT.


> | Chain POSTROUTING (policy ACCEPT 15975 packets, 5766K bytes)
> | pkts bytes target source destination
> | 44229 7144K ACCEPT 10.0.0.0/8 10.0.0.0/8
> | 2645 164K SNAT 192.168.128.0/21 0.0.0.0/0 to:10.1.1.105

> On the other hand, the SNAT rule is being triggered. Kind of weird, eh?

No, that's actually a misnomer. It was a cut'n'paste job from a working
kernel (remember my followup that said I'd heard it was a kernel fault
with the 2.6.12 series). When running with a 2.6.12.1 kernel there are
no matched packets for either the DNAT or SNAT rules.


> I don't suppose you have ebtables mixed into this?

No, I'm not running ebtables :-) There is bridging, though, (again,
like I mentioned at the start), which is why I've got that wierd looking
rule 1 in the POSTROUTING chain.

Chris

In uk.comp.os.linux chris-(E-Mail Removed) wrote:
> I'm trying to create a NAT box that will rewrite both source and
> destination IP addresses for certain traffic streams.

In comp.os.linux.networking chris-(E-Mail Removed) wrote:
> As much as I hate following up my own post, apparently the reason it
> doesn't work is because I'm running a 2.6.12.1 kernel. The rules work
> perfectly under 2.6.10.

And there's a patch which appears to make the thing work properly
again, at
http://kerneltrap.org/mailarchive/1/...es_per_page=10

Chris