OUTPUT SNAT

OUTPUT SNAT

[Ryan Whelan]

I have a linux router with a WAN/VPN interface (tun0) and a LAN/Bridge
(br0).  The SVI address on the bridge is 172.21.0.1 / 28.  The Linux
machine doesn't do any masquerading so all the traffic from machines
connected to the br0 interface contains its original address.  All
traffic from the Linux router itself, sent over the VPN has a source
address of the tun0, of course.  Is it possible to to SNAT all traffic
sent over the VPN to have a source ip of the bridge SVI?

Something like: `iptables -t nat -A OUTPUT -o tun0 -j SNAT --to 172.21.0.1`

`iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to 172.21.0.1`
works, but it will also masquerade all traffic forwarded from the
bridge (br0) interface.

Is this possible with netfilter? or even possible with linux?

Re: OUTPUT SNAT

[Pandu Poluan]

Maybe you can employ -m physdev ?

http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html

(sorry, never used br0 and tun0)

Rgds,


On 2011-02-11, Ryan Whelan <rcwhelan@gmail.com> wrote:
> I have a linux router with a WAN/VPN interface (tun0) and a LAN/Bridge
> (br0).  The SVI address on the bridge is 172.21.0.1 / 28.  The Linux
> machine doesn't do any masquerading so all the traffic from machines
> connected to the br0 interface contains its original address.  All
> traffic from the Linux router itself, sent over the VPN has a source
> address of the tun0, of course.  Is it possible to to SNAT all traffic
> sent over the VPN to have a source ip of the bridge SVI?
>
> Something like: `iptables -t nat -A OUTPUT -o tun0 -j SNAT --to 172.21.0.1`
>
> `iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to 172.21.0.1`
> works, but it will also masquerade all traffic forwarded from the
> bridge (br0) interface.
>
> Is this possible with netfilter? or even possible with linux?
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>


-- 
--
Pandu E Poluan - IT Optimizer
My website: http://pandu.poluan.info/

Re: OUTPUT SNAT

[Pascal Hambourg]

Hello,

Ryan Whelan a écrit :
> I have a linux router with a WAN/VPN interface (tun0) and a LAN/Bridge
> (br0).  The SVI address on the bridge is 172.21.0.1 / 28.  The Linux
> machine doesn't do any masquerading so all the traffic from machines
> connected to the br0 interface contains its original address.  All
> traffic from the Linux router itself, sent over the VPN has a source
> address of the tun0, of course.  Is it possible to to SNAT all traffic
> sent over the VPN to have a source ip of the bridge SVI?
> 
> Something like: `iptables -t nat -A OUTPUT -o tun0 -j SNAT --to 172.21.0.1`

You can use SNAT only in nat/POSTROUTING.

> `iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to 172.21.0.1`
> works, but it will also masquerade all traffic forwarded from the
> bridge (br0) interface.
> 
> Is this possible with netfilter? or even possible with linux?

Sure. You can either
- exclude packets from the address of tun0 : ! -s <tun0_address>
- match only packets from the bridge subnet : -s 172.21.0.0/28

If you want to SNAT packets based on the input interface regardless of
the source address, you can mark packets :

iptables -t mangle -A FORWARD -i br0 -o tun0 -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -o tun0 -m mark --mark 1 \
  -j SNAT --to 172.21.0.1