Using iptables SNAT based on source interface and ip address

I would like to change source ip address according to ip address and interface it came in. Let's consider following example:

  -----------------------------
  |                            |
  |          host 1            |
  |                            |
  |        application         |
  |                            |
  |                    eth0    |
  -----------------------------
                         |
                         |  IP0-IP47
                         |
          -----------------------------
          |             eth0           |
          |         host 2             |
          |                            |
          |         NAT                |
          |                            |
          |  eth1.1   eth1.2  eth1.3   |
          -----------------------------
              |         |        |
              |         |        | 
         IP0-IP15   IP0-IP15   IP0-IP15

Host 2 is receiving messages on interfaces eth1.1, eth1.2, eth1.3. On each interface there are 16 hosts with 16 unique ip addresses, but these 16 ip addresses are the same on all interfaces. I need to do NAT so the source ip is altered based on src ip and interface it came in in order to have 48 unique source ip addresses for messages going to application.

Application running on the most-down hosts and their ip cannot be changed. That's why i decided to put them into VLANs.

I searched through various tutorials and HOWTOs but I was unable to find what I am looking for. The problem is: SNAT is usable only in POSTROUTING chain, but in POSTROUTING I do not have information about the interface it came in.

Am I right with my assumption? I am new to this network stuff so any help and advice would be helpful.

Thanks for your help.

user2063933

Posted 2013-02-12T08:45:04.550

Reputation: 31

Answers

Solved.

Since the destination for the packets was the machine on which the NAT ran, I couldn't use POSTROUTING chain.

For others with the same problem: check xtables-addons : RAWNAT target http://manpages.ubuntu.com/manpages/karmic/man8/xtables-addons.8.html

It allows you to use stateless SNAT in PREROUTING. That was exactly what I was looking for. You just have to build the module and load it (e.g. with modprobe).

If you will be implementing this, don't forget it is stateless NAT so it will not do reverse NAT automatically as SNAT and DNAT do. Therefore you need to implement your own reverse NAT rules.

user2063933

Posted 2013-02-12T08:45:04.550

Reputation: 31

Probably you can do this:

Mark packets coming from different interfaces with different numbers at the time of PREROUTING.

sudo iptables -t nat -A PREROUTING -i eth1.<x> -j MARK --set-mark <choose_a_unique_number_per_interface>

Use SNAT and marks at the time of post-routing:

sudo iptables -t nat -A POSTROUTING -s <iprange_of_eth1.<x>> -m mark --mark <number_given_to_eth1.<x>_at_the_time_of_prerouting> -j SNAT --to-source <an_ip_from_48_ipset>

harihardik

Posted 2013-02-12T08:45:04.550

Reputation: 111

This solution works fine for NAT with multiple external interfaces and one or multiple internal interfaces. – scai – 2016-11-17T13:41:39.817