I have a question regarding Linux NAT-ing on my own IP address.
Suppose I have an network interface, say eth0. It is given an IP address of 127.0.0.2. Now I apply a NAT rule in Linux saying that:
Any traffic with a source IP of 127.0.0.2 should be changed to a source IP of 192.168.0.2.
What source IP will I see in the packets sent out of eth0? In other words, will the NAT rule be applied to the packets originating from my own machine?
Thanks!
Jin
you can use postrouting for the same
iptables -t nat -A POSTROUTING -s 127.0.0.2 -o eth0 -j SNAT --to 192.168.0.2
Related
I am trying to implement wireless access point on my embedded platform. I have implemented some parts like running wireless card as access point, dhcp server and some forwarding rules (via iptables).
I have tried several iptables commands. results of all are the same. The last one I decided to use is:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
Access point runs successfully, clients can connect to it and get ip address. However there is DNS problem. Clients could not resolve the hostnames but they can connect via ip addresses.
DHCP configuration is as below:
interface wlan0
start 192.168.7.11
end 192.168.7.20
max_leases 10
option subnet 255.255.255.0
option router 192.168.7.1
#option dns 192.168.7.2 192.168.7.4
option domain local
option lease 864000
lease_file /conf/udhcpd.leases
#pidfile /tmp/udhcpd.pid
For this configuration, If I use 'option dns 8.8.8.8 8.8.4.4' I can resolve the problem but I need to use the dns of the network. Is there any way to forward the dns address 192.168.7.2 to the dns address of the wired network (eg. 192.168.0.2).
I could not find the DNS routing (eg. 192.168.7.2 to 192.168.0.2). But I have found a way to use the DNS address of the embedded platform on clients.
in DHCP server configuration, I used this option:
option dns 192.168.0.2 192.168.0.4 (conf file are generated when access point is started, so the dns addresses are obtained from the system )
after DHCP server is run, I have run these commands to forward dns addresses:
iptables -A FORWARD --in-interface eth1 -m tcp --sport 53 -j ACCEPT
iptables -A FORWARD --in-interface eth1 -m udp --sport 53 -j ACCEPT
I have a system with 2 NIC(eth0,eth1),I connect them externally with a cable (use corssover cable or connect them to a same switch).I want to ping eth1 ip address from eth0 and I want to traffic pass externally (through cable) from eth0 to eth1, but linux kernel send the traffic internally and don't allow it to pass over cable, How can I fix this and send traffic externally?
I use ping with "-I eth0" but the problem exists.
The problem is not with the VRF but with loopback which is used whenever kernel detects it can use it instead sending through the wire.
Let's use real MAC addresses and dummy IP addresses and NAT to force kernel to send data through wire:
arp -s IP0 MAC0
arp -s IP1 MAC1
ip route add IP0 dev eth1
ip route add IP1 dev eth0
iptables -t nat -A POSTROUTING -d IP1 -j SNAT --to-source IP0
iptables -t nat -A POSTROUTING -d IP0 -j SNAT --to-source IP1
iptables -t nat -A PREROUTING -d IP0 -j DNAT --to-destination IP0
iptables -t nat -A PREROUTING -d IP1 -j DNAT --to-destination IP1
First, enslave at least one of the interfaces on different VRF then try ping -l eth0 dest
Some helpful resources about VRF on Linux:
https://www.kernel.org/doc/Documentation/networking/vrf.txt
https://renard.chezwam.org/blog/2014/09/vrf-on-linux/index.html
PS: it is much simpler on BSD(rdomain) :)
I am trying to nat an internal virtual network (adapter tun0 ip: 10.8.0.x - my vpn network) to the outer world (adapter venet0:0 ip xxx.xxx.xxx.xxx)
I am using the following iptables rule:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j SNAT --to xxx.xxx.xxx.xxx
For some reason iptables is not changing the outbound ip address:
tcpdump
08:23:17.863971 IP 10.8.0.6 > 8.8.8.8: ICMP echo request, id 3887, seq 1264, length 64
netstat-nat
Proto NATed Address Destination Address State
udp 10.8.0.6:61339 google-public-dns-a.goo:domain UNREPLIED
Any ideas? What am I doing wrong?
(ip_forward is activated!)
check your iptables -t nat -nvL very carefully. Maybe there's a hidden MASQUERADE somewhere.
have a close look at the selectors, source(-s) and destination(-d). In my case my destination IP was different by one octet. I was expecting .5 and the traffic was destined to .6. like the rule was to SNAT ip xxx.xxx.5.xxx and the destination in the packets were xxx.xxx.6.xxx
I have to change the destination address of my packets before they send...
Looking on the web I saw that with Iptables is possible to change the destination address of the packets in prerouting.
Can you help me?
I would something like
sudo iptables -t nat -A POSTROUTING -d 239.0.2.4 -o wlan0 -j DNAT --to 192.168.1.3
My problem is that a relay of my rtsp local server accepts only a multicast ip-address but I would that the packets are sent with a classical ip-address.
Thanks
You can change the destination address in PREROUTING, and source address in POSTROUTING.
The rationale is that during the POSTROUTING chain, the routing decision has already taken place, and altering the destination address now would be nonsensical. Either the decision would be the same (in which case you can use the PREROUTING chain), or it would be different, in which case you really want a policy route.
I have 20 ips from my isp. I have them bound to a router box running centos. What commands, and in what order, do I set up so that the other boxes on my lan, based either on their mac addresses or 192 ips can I have them route out my box on specific ips. For example I want mac addy xxx:xxx:xxx0400 to go out 72.049.12.157 and xxx:xxx:xxx:0500 to go out 72.049.12.158.
Use iptables to setup NAT.
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 72.049.12.157
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 72.049.12.158
This should cause any ips on the 192.168.0.0 subnet to have an 'external' ip of 72.049.12.157 and those on the 192.168.1.0 subnet to have an 'external' ip of 72.049.12.158. For MAC address matching, use -m mac --mac-source MAC-ADDRESS in place of the -s 192.168.0.0/24 argument
Don't forget to activate ip forwarding:
cat /proc/sys/net/ipv4/ip_forward
If the above returns a 0 then it won't work, you'll have to enable it. Unfortunately this is distro-specific and I don't know CentOS.
For a quick hack, do this:
echo 1 > /proc/sys/net/ipv4/ip_forward
What's the router hardware and software version?
Are you trying to do this with a linux box? Stop now and go get a router. It will save you money long-term.
Answering this question with the little information you gave amounts to rewriting a routing Howto here. You could either
read about routing and IP in general (e.g. Linux System Administrator's Guide) or
give us more info on the exact IP addresses you got.
The above answer using NAT is definately not what you intend to use when you have public IP addresses. This solution is not going to scale well.