Selective SNAT using IPtables?

I have a machine with 2 interfaces:

MachineX:
- eth0 192.168.9.2
- eth1 192.168.10.1

When I Ping 192.168.9.??? from MachineX, I want the reciever to believe
that the packet originated from 192.168.10.1, instead of .9.2.

However, if I forward a packet from eth1 to eth0 (say SRC: 192.168.10.99
DST: 192.168.9.222), I dont want any packet mangling to occur.

Is it possible to just SNAT packets originating from our local machine?

Regards,

Justin

On Thu, 15 Dec 2005 21:00:57 +0000, Justin Todd wrote:

> I have a machine with 2 interfaces:
>
> MachineX:
> - eth0 192.168.9.2
> - eth1 192.168.10.1
>
> When I Ping 192.168.9.??? from MachineX, I want the reciever to believe
> that the packet originated from 192.168.10.1, instead of .9.2.

Do you want all packet coming from .9.x to look like they are coming from
..10.1 or just pings?

> However, if I forward a packet from eth1 to eth0 (say SRC: 192.168.10.99
> DST: 192.168.9.222), I dont want any packet mangling to occur.
>
> Is it possible to just SNAT packets originating from our local machine?

I'm thinking Mangle but I need to know the above first.


--

Regards
Robert

Smile... it increases your face value!


----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

Justin Todd wrote:
> I have a machine with 2 interfaces:
>
> MachineX:
> - eth0 192.168.9.2
> - eth1 192.168.10.1
>
> When I Ping 192.168.9.??? from MachineX, I want the reciever to believe
> that the packet originated from 192.168.10.1, instead of .9.2.

Well, just for the purpose of ping, try the -I (that's "eye") option.
For traceroute, you can use -i or -s. Look at the man pages for
details.

> However, if I forward a packet from eth1 to eth0 (say SRC: 192.168.10.99
> DST: 192.168.9.222), I dont want any packet mangling to occur.
>
> Is it possible to just SNAT packets originating from our local machine?

It's not clear (entirely) what you want. You mean _all_ packets
originating from the local MachineX should have "what address"? You
don't say. It more usual to have a router NAT private IPs into a
public IP space, ie., the public IP of the NATing router.

It is possible but how you go about it will depend on what you are
trying to accomplish. No need to pull out the Abrams tank if a pea
shooter will do. Does this box have a default route? What's the
netmask of the networks? How will these packets get back to their
source (MachineX)? What is its function in the network? Is MachineX
offering any services or acting just as a router/firewall? Is this a
"border router"? Give us some idea what the goal is and the network
context.

Any help? :-)
prg