All of lore.kernel.org
 help / color / mirror / Atom feed
* SNAT problem with alias IP
@ 2014-08-01  8:00 Paolo Tezza
  2014-08-01 17:48 ` Anton Danilov
  0 siblings, 1 reply; 3+ messages in thread
From: Paolo Tezza @ 2014-08-01  8:00 UTC (permalink / raw)
  To: netfilter

Hi all

I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
I have 8 public IP I can use on WAN's nic (eth0)

so I configured some alias on eth0:
eth0  x.x.x.234 Mask:255.255.255.248
eth0:0 x.x.x.235  Mask:255.255.255.248
eth0:1 x.x.x.237  Mask:255.255.255.248
eth0:2 x.x.x.238 Mask:255.255.255.248

eth1  10.0.0.254  Bcast:10.0.0.255  Mask:255.255.255.0

eth2  192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0


I have added this iptables rule that work like a charm
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234

both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP


Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
so I add the rule ABOVE the first one
iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
--to-source x.x.x.238



The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
not x.x.x.238

Some hint?

thanks


Paolo

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: SNAT problem with alias IP
  2014-08-01  8:00 SNAT problem with alias IP Paolo Tezza
@ 2014-08-01 17:48 ` Anton Danilov
  2014-08-04  7:26   ` Paolo Tezza
  0 siblings, 1 reply; 3+ messages in thread
From: Anton Danilov @ 2014-08-01 17:48 UTC (permalink / raw)
  To: Paolo Tezza; +Cc: netfilter

Hello, Paolo.

After adding of new nat rule, you should remove the existed conntrack
entries of 192.168.1.201 flows. Otherwise this flows will keep use the
existed entries with ...234 external address.

2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@gmail.com>:
> Hi all
>
> I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
> I have 8 public IP I can use on WAN's nic (eth0)
>
> so I configured some alias on eth0:
> eth0  x.x.x.234 Mask:255.255.255.248
> eth0:0 x.x.x.235  Mask:255.255.255.248
> eth0:1 x.x.x.237  Mask:255.255.255.248
> eth0:2 x.x.x.238 Mask:255.255.255.248
>
> eth1  10.0.0.254  Bcast:10.0.0.255  Mask:255.255.255.0
>
> eth2  192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
>
>
> I have added this iptables rule that work like a charm
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
>
> both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
>
>
> Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
> so I add the rule ABOVE the first one
> iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
> --to-source x.x.x.238
>
>
>
> The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
> not x.x.x.238
>
> Some hint?
>
> thanks
>
>
> Paolo
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Anton.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: SNAT problem with alias IP
  2014-08-01 17:48 ` Anton Danilov
@ 2014-08-04  7:26   ` Paolo Tezza
  0 siblings, 0 replies; 3+ messages in thread
From: Paolo Tezza @ 2014-08-04  7:26 UTC (permalink / raw)
  To: netfilter

you hit the point!!
thank you so much

2014-08-01 19:48 GMT+02:00 Anton Danilov <littlesmilingcloud@gmail.com>:
> Hello, Paolo.
>
> After adding of new nat rule, you should remove the existed conntrack
> entries of 192.168.1.201 flows. Otherwise this flows will keep use the
> existed entries with ...234 external address.
>
> 2014-08-01 12:00 GMT+04:00 Paolo Tezza <paolo.tezza@gmail.com>:
>> Hi all
>>
>> I have a a firewall with 3 phisical nic (LAN, WAN, DMZ)
>> I have 8 public IP I can use on WAN's nic (eth0)
>>
>> so I configured some alias on eth0:
>> eth0  x.x.x.234 Mask:255.255.255.248
>> eth0:0 x.x.x.235  Mask:255.255.255.248
>> eth0:1 x.x.x.237  Mask:255.255.255.248
>> eth0:2 x.x.x.238 Mask:255.255.255.248
>>
>> eth1  10.0.0.254  Bcast:10.0.0.255  Mask:255.255.255.0
>>
>> eth2  192.168.1.254  Bcast:192.168.1.255  Mask:255.255.255.0
>>
>>
>> I have added this iptables rule that work like a charm
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.234
>>
>> both my LAN (eth2) and my DMZ (eth1) surf internet with phisical IP
>>
>>
>> Now I need that one host 192.168.1.201 will be "masqueraded" with x.x.x.238
>> so I add the rule ABOVE the first one
>> iptables -t nat -A POSTROUTING -s 192.168.1.201 -o eth0 -j SNAT
>> --to-source x.x.x.238
>>
>>
>>
>> The issue is that 192.168.1.201 keep to use physical IP x.x.x.234 and
>> not x.x.x.238
>>
>> Some hint?
>>
>> thanks
>>
>>
>> Paolo
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>
>
> --
> Anton.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-04  7:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-01  8:00 SNAT problem with alias IP Paolo Tezza
2014-08-01 17:48 ` Anton Danilov
2014-08-04  7:26   ` Paolo Tezza

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.