1

I have a gateway machine with 2 NIC: eth0 with public IP and eth1 with private IP.

On eth0 I have 4 public IP aliased, I wanted to NAT public IP to private IP and I used DNAT to do that uisng iptables.

1.1.1.2 -> 10.10.10.2
1.1.1.3 -> 10.10.10.3
1.1.1.4 -> 10.10.10.4

Rules

-A PREROUTING -d 1.1.1.2 -p tcp -j DNAT --to-destination 10.10.10.2
-A PREROUTING -d 1.1.1.3 -p tcp -j DNAT --to-destination 10.10.10.3
-A PREROUTING -d 1.1.1.4 -p tcp -j DNAT --to-destination 10.10.10.4

and now I am able to reach internal IP with DNAT, but not able to connect with external network from this private IP.

How can I achieve that? Can SNAT be done for multiple IPS?

kevin
  • 191
  • 5
  • 15
  • How are you DNATing at the moment? `iptables` or SOHO router firmware or what? – gevial Mar 26 '13 at 10:26
  • sorry to mention that,i used iptables and updated question with that. – kevin Mar 26 '13 at 10:29
  • Please add to the question your `iptables` rules. – gevial Mar 26 '13 at 10:30
  • @slimsuperhero i am able to access internal network using public ip.But i am not able to access anything from that machines.How can i specify that traffic from 10.10.10.2 should be NATed to 1.1.1.2? – kevin Mar 26 '13 at 10:40

2 Answers2

1

Seems to be that you forgot to add masquerade rule.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This is kind of SNAT. It replaces source LAN IP to router's external IP in packets, originating on LAN machines. Thus, external machines know whom to send the packets.

gevial
  • 1,264
  • 8
  • 13
  • wow thanx alot,it worked :) Without this rule when pvt ip makes request to external connection it will reach gateway with its own private ip as there is no masquerade rule and packet couldn't go further is that so?but i dont know how masquerade fix this,could you please explain it so that i can understand it better. – kevin Mar 26 '13 at 11:17
  • Without masquerading, source IP in packet header remain local. External host gets it, but it couldn't send responses because local IPs are not routable in Internet. – gevial Mar 26 '13 at 11:45
  • Thanks :) ,but there should be some other ways to do this other than MASQUERADE,and instead using SNAT.Is that possible in this case? – kevin Mar 26 '13 at 11:54
  • Definitely not. If you do not masquerade/SNAT, remote host could not response. – gevial Mar 26 '13 at 12:17
  • Do you have any idea about solving this with SNAT,there are multiple private ips and public ips,how can SNAT be used in this case. – kevin Mar 26 '13 at 12:22
  • Just set it like @pupkinsen said. Four SNAT rules. – gevial Mar 26 '13 at 13:04
0

I guess it can be done. Just specify -s <int ip> and --to-source <ext ip>

iptables -t nat -A POSTROUTING -s 10.10.10.2 -i eth1 -j SNAT --to-source 1.1.1.2

pupkinsen
  • 113
  • 2
  • 10
  • 1
    Connection tracker should automatically SNAT outgoing packets with only DNAT rules present. However, adding rules you stated explicitly may fix the issue. – gevial Mar 26 '13 at 10:35
  • Conntrack maintains the established connections afaik. New connections need explicit rules. – pupkinsen Mar 26 '13 at 11:33