RE: (newbie) SNAT woes

RE: (newbie) SNAT woes

[George Vieira]

What you've missed is that tcpdump and other utilities work on different layers and if I'm not wrong (hopefully not) it's seeing the packets before the SNAT.

Also, better to use MASQUERADE rather than SNAT for workstation access to the internet.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Martin Djernaes [mailto:martin@djernaes.dk]
Sent: Friday, August 08, 2003 12:15 AM
To: netfilter@lists.netfilter.org
Subject: (newbie) SNAT woes


Hi,

I realise that you have seen mails like mine lots of time before, but I
have spend hours reading howtos and googling for some hint as to why my
very simple setup doesn't work.

I have a simple box which just is suppose to do normal NATing of outgoing
traffic so it uses the public IP address.

I thought that I had it all setup right (that was at least what I
understood from everything I read), so here is my nat table:

# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 SNAT       all  --  any    eth1    anywhere            
anywhere           to:11.22.33.44

Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Now if I ping an external IP address from another box on the "inside" and
run "tcpdump -ni eth1" on the gateway box, I will see the source address
being unchanged! (and I don't get an icmp echo reply back).

So what did I miss? Isn't it just a oneliner to turn SNAT on?

Martin

Re: (newbie) SNAT woes

[Ramin Dousti]

On Fri, Aug 08, 2003 at 08:53:21AM +1000, George Vieira wrote:

> Also, better to use MASQUERADE rather than SNAT for workstation access to the internet.

You use MASQUERADE if you have a dynamic IP otherwise use SNAT, it's more
efficient.

Ramin

RE: (newbie) SNAT woes

[Martin Djernaes]

Hi,

Some pepole have helped me off the list and even though it all looked
strange and I don't know what happened, it's working now!

> What you've missed is that tcpdump and other utilities work on different
> layers and if I'm not wrong (hopefully not) it's seeing the packets
> before the SNAT.

tcpdump works below ipfilter, so I see what comes out of the filter.

> Also, better to use MASQUERADE rather than SNAT for workstation access
> to the internet.

Why? ... what I have read made me beleive that SNAT was prefered when ever
possible, but I would be happy to hear something else.

Martin

> ____________________________________________
> George Vieira
> Systems Manager
> georgev@citadelcomputer.com.au
>
> Citadel Computer Systems Pty Ltd
> http://www.citadelcomputer.com.au
>
>
> -----Original Message-----
> From: Martin Djernaes [mailto:martin@djernaes.dk]
> Sent: Friday, August 08, 2003 12:15 AM
> To: netfilter@lists.netfilter.org
> Subject: (newbie) SNAT woes
>
>
> Hi,
>
> I realise that you have seen mails like mine lots of time before, but I
> have spend hours reading howtos and googling for some hint as to why my
> very simple setup doesn't work.
>
> I have a simple box which just is suppose to do normal NATing of
> outgoing traffic so it uses the public IP address.
>
> I thought that I had it all setup right (that was at least what I
> understood from everything I read), so here is my nat table:
>
> # iptables -t nat -v -L
> Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>     0     0 SNAT       all  --  any    eth1    anywhere
> anywhere           to:11.22.33.44
>
> Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
>  pkts bytes target     prot opt in     out     source
> destination
>
> Now if I ping an external IP address from another box on the "inside"
> and run "tcpdump -ni eth1" on the gateway box, I will see the source
> address being unchanged! (and I don't get an icmp echo reply back).
>
> So what did I miss? Isn't it just a oneliner to turn SNAT on?
>
> Martin

(newbie) SNAT woes

[Martin Djernaes]

Hi,

I realise that you have seen mails like mine lots of time before, but I
have spend hours reading howtos and googling for some hint as to why my
very simple setup doesn't work.

I have a simple box which just is suppose to do normal NATing of outgoing
traffic so it uses the public IP address.

I thought that I had it all setup right (that was at least what I
understood from everything I read), so here is my nat table:

# iptables -t nat -v -L
Chain PREROUTING (policy ACCEPT 1774 packets, 193K bytes)
 pkts bytes target     prot opt in     out     source              
destination

Chain POSTROUTING (policy ACCEPT 1443 packets, 77156 bytes)
 pkts bytes target     prot opt in     out     source              
destination
    0     0 SNAT       all  --  any    eth1    anywhere            
anywhere           to:11.22.33.44

Chain OUTPUT (policy ACCEPT 317 packets, 23092 bytes)
 pkts bytes target     prot opt in     out     source              
destination

Now if I ping an external IP address from another box on the "inside" and
run "tcpdump -ni eth1" on the gateway box, I will see the source address
being unchanged! (and I don't get an icmp echo reply back).

So what did I miss? Isn't it just a oneliner to turn SNAT on?

Martin