* SNAT problem with alias IP
@ 2014-08-01 8:00 Paolo Tezza
2014-08-01 17:48 ` Anton Danilov
0 siblings, 1 reply; 3+ messages in thread
From: Paolo Tezza @ 2014-08-01 8:00 UTC (permalink / raw)
To: netfilter
Hi all
I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
I have 8 public IP I can use on WAN's nic (eth0)
so I configured some alias on eth0:
eth0 x.x.x.234 Mask:255.255.255.248
eth0:0 x.x.x.235 Mask:255.255.255.248
eth0:1 x.x.x.237 Mask:255.255.255.248
eth0:2 x.x.x.238 Mask:255.255.255.248
eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
I have added this iptables rule that work like a charm
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
so I add the rule ABOVE the first one
iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
--to-source x.x.x.238
The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
not x.x.x.238
Some hint?
thanks
Paolo
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SNAT problem with alias IP
2014-08-01 8:00 SNAT problem with alias IP Paolo Tezza
@ 2014-08-01 17:48 ` Anton Danilov
2014-08-04 7:26 ` Paolo Tezza
0 siblings, 1 reply; 3+ messages in thread
From: Anton Danilov @ 2014-08-01 17:48 UTC (permalink / raw)
To: Paolo Tezza; +Cc: netfilter
Hello, Paolo.
After adding of new nat rule, you should remove the existed conntrack
entries of 192.168.1.201 flows. Otherwise this flows will keep use the
existed entries with ...234 external address.
2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@gmail.com>:
> Hi all
>
> I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
> I have 8 public IP I can use on WAN's nic (eth0)
>
> so I configured some alias on eth0:
> eth0 x.x.x.234 Mask:255.255.255.248
> eth0:0 x.x.x.235 Mask:255.255.255.248
> eth0:1 x.x.x.237 Mask:255.255.255.248
> eth0:2 x.x.x.238 Mask:255.255.255.248
>
> eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
>
> eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
>
>
> I have added this iptables rule that work like a charm
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
>
> both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
>
>
> Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
> so I add the rule ABOVE the first one
> iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
> --to-source x.x.x.238
>
>
>
> The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
> not x.x.x.238
>
> Some hint?
>
> thanks
>
>
> Paolo
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SNAT problem with alias IP
2014-08-01 17:48 ` Anton Danilov
@ 2014-08-04 7:26 ` Paolo Tezza
0 siblings, 0 replies; 3+ messages in thread
From: Paolo Tezza @ 2014-08-04 7:26 UTC (permalink / raw)
To: netfilter
you hit the point!!
thank you so much
2014-08-01 19:48 GMT+02:00 Anton Danilov <littlesmilingcloud@gmail.com>:
> Hello, Paolo.
>
> After adding of new nat rule, you should remove the existed conntrack
> entries of 192.168.1.201 flows. Otherwise this flows will keep use the
> existed entries with ...234 external address.
>
> 2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@gmail.com>:
>> Hi all
>>
>> I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
>> I have 8 public IP I can use on WAN's nic (eth0)
>>
>> so I configured some alias on eth0:
>> eth0 x.x.x.234 Mask:255.255.255.248
>> eth0:0 x.x.x.235 Mask:255.255.255.248
>> eth0:1 x.x.x.237 Mask:255.255.255.248
>> eth0:2 x.x.x.238 Mask:255.255.255.248
>>
>> eth1 10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
>>
>> eth2 192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
>>
>>
>> I have added this iptables rule that work like a charm
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
>>
>> both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
>>
>>
>> Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
>> so I add the rule ABOVE the first one
>> iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
>> --to-source x.x.x.238
>>
>>
>>
>> The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
>> not x.x.x.238
>>
>> Some hint?
>>
>> thanks
>>
>>
>> Paolo
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Anton.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-04 7:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-01 8:00 SNAT problem with alias IP Paolo Tezza
2014-08-01 17:48 ` Anton Danilov
2014-08-04 7:26 ` Paolo Tezza
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.