iptables/SNAT not working

Hello,

i try to get SNAT working, but with no success.

The setup is:
Network A (eth1): 10.11.112.0/24 (Routed worldwide)
Network B (eth2): 192.168.21.0/24 (Private)

There is a laptop within Network B (192.168.21.52) that should
reach the world (www, telnet, ...).

I did on the linux router:

/sbin/ip addr add 10.11.112.106 brd + dev eth1 label eth1:2

/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.21.52 -o eth1 -j SNAT --to 10.11.112.106

Used kernel is 2.6.10.
There is no other rule in iptables.
/proc/sys/net/ipv4/ip_forward contains a "1".

What happens is, that packets from the laptop are routed out to the world
but keep the source address (and coz of this, the answer never reaches the
router), the iptables rule does never match:

root@tkserv:/home/sk# iptables -L -n -x -v -t nat
Chain PREROUTING (policy ACCEPT 202 packets, 13260 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 61 packets, 7239 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all -- * eth1 192.168.21.52 0.0.0.0/0 to:10.11.112.106

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
root@tkserv:/home/sk#

Does someone know whats wrong and can help me?

Greetings,

Steffen

>
> Chain POSTROUTING (policy ACCEPT 61 packets, 7239 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 SNAT all -- * eth1 192.168.21.52
> 0.0.0.0/0 to:10.11.112.106
>

No packet match your POSTROUTING rule. You should try to figure out why your
rule do not match; tcpdump is probably of great help in your case.
Investigate packet flow on both interfaces, and ensure your IP setup is ok.

I would think that somehow your laptop isn't using 192.168.21.52, and so is
never catched by the NAT rule.

Hope that helps.

--
Kelkoo Security Manager / Networks & Systems Architect
JID: (E-Mail Removed) / Vincent.Jaussaud.AT.kelkoo.DOT.net
Kelkoo.com --- GNU/Linux Powered

> No packet match your POSTROUTING rule. You should try to figure out why your
> rule do not match; tcpdump is probably of great help in your case.
> Investigate packet flow on both interfaces, and ensure your IP setup is ok.

> I would think that somehow your laptop isn't using 192.168.21.52, and so is
> never catched by the NAT rule.

Thank you for your help, in the meantime everything is working.
The netmask of the ip of the worldwide side was setup wrong.
I tested it with ping (icmp) and it never worked. A worker
then tried the web and found out that it is working and called
me. I was surprised and thought it was something like a icmp nat
problem, checked everything and found the wrong netmask.
Now the pings work, too.

cu,

Steffen