* RE: (newbie) SNAT woes
@ 2003-08-07 22:53 George Vieira
2003-08-07 23:08 ` Ramin Dousti
2003-08-08 4:14 ` Martin Djernaes
0 siblings, 2 replies; 4+ messages in thread
From: George Vieira @ 2003-08-07 22:53 UTC (permalink / raw)
To: Martin Djernaes, netfilter
What you've missed is that tcpdump and other utilities work on different layers and if I'm not wrong (hopefully not) it's seeing the packets before the SNAT.
Also, better to use MASQUERADE rather than SNAT for workstation access to the internet.
Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au
Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
-----Original Message-----
From: Martin Djernaes [mailto:martin@djernaes.dk]
Sent: Friday, August 08, 2003 12:15 AM
To: netfilter@lists.netfilter.org
Subject: (newbie) SNAT woes
Hi,
I realise that you have seen mails like mine lots of time before, but I
have spend hours reading howtos and googling for some hint as to why my
very simple setup doesn't work.
I have a simple box which just is suppose to do normal NATing of outgoing
traffic so it uses the public IP address.
I thought that I had it all setup right (that was at least what I
understood from everything I read), so here is my nat table:
# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- any eth1 anywhere
anywhere to:11.22.33.44
Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
pkts bytes target prot opt in out source
destination
Now if I ping an external IP address from another box on the "inside" and
run "tcpdump -ni eth1" on the gateway box, I will see the source address
being unchanged! (and I don't get an icmp echo reply back).
So what did I miss? Isn't it just a oneliner to turn SNAT on?
Martin
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: (newbie) SNAT woes
2003-08-07 22:53 (newbie) SNAT woes George Vieira
@ 2003-08-07 23:08 ` Ramin Dousti
2003-08-08 4:14 ` Martin Djernaes
1 sibling, 0 replies; 4+ messages in thread
From: Ramin Dousti @ 2003-08-07 23:08 UTC (permalink / raw)
To: George Vieira; +Cc: Martin Djernaes, netfilter
On Fri, Aug 08, 2003 at 08:53:21AM +1000, George Vieira wrote:
> Also, better to use MASQUERADE rather than SNAT for workstation access to the internet.
You use MASQUERADE if you have a dynamic IP otherwise use SNAT, it's more
efficient.
Ramin
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: (newbie) SNAT woes
2003-08-07 22:53 (newbie) SNAT woes George Vieira
2003-08-07 23:08 ` Ramin Dousti
@ 2003-08-08 4:14 ` Martin Djernaes
1 sibling, 0 replies; 4+ messages in thread
From: Martin Djernaes @ 2003-08-08 4:14 UTC (permalink / raw)
To: georgev; +Cc: martin, netfilter
Hi,
Some pepole have helped me off the list and even though it all looked
strange and I don't know what happened, it's working now!
> What you've missed is that tcpdump and other utilities work on different
> layers and if I'm not wrong (hopefully not) it's seeing the packets
> before the SNAT.
tcpdump works below ipfilter, so I see what comes out of the filter.
> Also, better to use MASQUERADE rather than SNAT for workstation access
> to the internet.
Why? ... what I have read made me beleive that SNAT was prefered when ever
possible, but I would be happy to hear something else.
Martin
> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
>
> -----Original Message-----
> From: Martin Djernaes [mailto:martin@djernaes.dk]
> Sent: Friday, August 08, 2003 12:15 AM
> To: netfilter@lists.netfilter.org
> Subject: (newbie) SNAT woes
>
>
> Hi,
>
> I realise that you have seen mails like mine lots of time before, but I
> have spend hours reading howtos and googling for some hint as to why my
> very simple setup doesn't work.
>
> I have a simple box which just is suppose to do normal NATing of
> outgoing traffic so it uses the public IP address.
>
> I thought that I had it all setup right (that was at least what I
> understood from everything I read), so here is my nat table:
>
> # iptables -t nat -v -L
> Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 SNAT all -- any eth1 anywhere
> anywhere to:11.22.33.44
>
> Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
> pkts bytes target prot opt in out source
> destination
>
> Now if I ping an external IP address from another box on the "inside"
> and run "tcpdump -ni eth1" on the gateway box, I will see the source
> address being unchanged! (and I don't get an icmp echo reply back).
>
> So what did I miss? Isn't it just a oneliner to turn SNAT on?
>
> Martin
^ permalink raw reply [flat|nested] 4+ messages in thread
* (newbie) SNAT woes
@ 2003-08-07 14:14 Martin Djernaes
0 siblings, 0 replies; 4+ messages in thread
From: Martin Djernaes @ 2003-08-07 14:14 UTC (permalink / raw)
To: netfilter
Hi,
I realise that you have seen mails like mine lots of time before, but I
have spend hours reading howtos and googling for some hint as to why my
very simple setup doesn't work.
I have a simple box which just is suppose to do normal NATing of outgoing
traffic so it uses the public IP address.
I thought that I had it all setup right (that was at least what I
understood from everything I read), so here is my nat table:
# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- any eth1 anywhere
anywhere to:11.22.33.44
Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
pkts bytes target prot opt in out source
destination
Now if I ping an external IP address from another box on the "inside" and
run "tcpdump -ni eth1" on the gateway box, I will see the source address
being unchanged! (and I don't get an icmp echo reply back).
So what did I miss? Isn't it just a oneliner to turn SNAT on?
Martin
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-08-08 4:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-08-07 22:53 (newbie) SNAT woes George Vieira
2003-08-07 23:08 ` Ramin Dousti
2003-08-08 4:14 ` Martin Djernaes
-- strict thread matches above, loose matches on Subject: below --
2003-08-07 14:14 Martin Djernaes
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.