Find the answer to your Linux question:
Results 1 to 3 of 3
Hi, I am trying to set up a router with CentOS 5.3 (up to date) in the following scenario: The box has two physical ethernet interfaces, one - eth1 - ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    2

    SNAT to multiple source IP addresses


    Hi,

    I am trying to set up a router with CentOS 5.3 (up to date) in the following scenario:

    The box has two physical ethernet interfaces, one - eth1 - connected to the internal network and the other - eth0 - connected to the Internet gateway network.

    There are two internal subnets, 10.0.0.0/24 and 10.0.1.0/24.

    There are four routable IP addresses assigned to the external interface, let's say 1.2.3.4, 1.2.3.5, 1.2.3.6, 1.2.3.7.

    The Internet gateway would have the IP address 1.2.3.8.

    The netmask for the external IP subnet is 255.255.255.240 (/28 prefix).

    The router should do the following:

    - one machine from the 10.0.0.0/24 subnet, let's say 10.0.0.2, should be ALWAYS SNATed to 1.2.3.4
    - the rest of the 10.0.0.0/24 subnet should be ALWAYS SNATed to 1.2.3.5
    - one machine from the 10.0.1.0/24 subnet, let's say 10.0.1.2, should be ALWAYS SNATed to 1.2.3.6
    - the rest of the 10.0.1.0/24 subnet should be ALWAYS SNATed to 1.2.3.7

    In order to do this I have set up the router as follows:

    Forwarding is activated by sysctl.conf.

    First method:

    - the internal interface has the initial address 10.0.0.1 with netmask 255.255.255.0 assigned through ifcfg-eth1

    - the external interface has the initial address 1.2.3.4 with netmask 255.255.255.240 assigned through ifcfg-eth0

    - the Internet gateway is 1.2.3.8 defined in /etc/sysconfig/network

    now I do the following:

    ip addr add 10.0.1.1/24 dev eth1 brd +
    ip addr add 1.2.3.5/28 dev eth0 brd +
    ip addr add 1.2.3.6/28 dev eth0 brd +
    ip addr add 1.2.3.7/28 dev eth0 brd +

    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -o eth0 -j SNAT --to 1.2.3.4
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 1.2.3.5
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.2/32 -o eth0 -j SNAT --to 1.2.3.6
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to 1.2.3.7

    Second method:

    I set the interfaces eth0 and eth1 not to start at boot time and I set it all up manually:

    ip addr add 1.2.3.4/28 dev eth0
    ip addr add 1.2.3.5/28 dev eth0
    ip addr add 1.2.3.6/28 dev eth0
    ip addr add 1.2.3.7/28 dev eth0

    ip link set eth0 up

    ip addr add 10.0.1.1/24 dev eth1

    ip link set eth1 up

    !!! I even tried the above with /32 instead the correct subnet prefix.

    /sbin/route add -net 10.0.0.0/24 dev eth1
    /sbin/route add -net 10.0.1.0/24 dev eth1
    /sbin/route add -net 1.2.3.0/28 dev eth0
    /sbin/route add default gw 1.2.3.8 dev eth0

    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -o eth0 -j SNAT --to 1.2.3.4
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 1.2.3.5
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.2/32 -o eth0 -j SNAT --to 1.2.3.6
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to 1.2.3.7

    In either setup there is the strange behaviour:

    The NAT works as intended for a couple of minutes and then one or more SNAT rules don't seem to work anymore - their corresponding internal machines don't even see the main Internet gateway 1.2.3.8 anymore.

    or

    A couple of the NAT rules work as intended with no breakdown but the others don't work from the start, their corresponding internal machines don't see even the main Internet gateway 1.2.3.8 from the start.

    Maybe I am missing something.. I can't figure out why this doesn't work.

    Any ideas?

    Thanks

  2. #2
    Linux Engineer Freston's Avatar
    Join Date
    Mar 2007
    Location
    The Netherlands
    Posts
    1,049
    Welcome to the forums!

    One thing I think, but I may understand you wrong, is this:
    Quote Originally Posted by tibix
    The NAT works as intended for a couple of minutes and then one or more SNAT rules don't seem to work anymore - their corresponding internal machines don't even see the main Internet gateway 1.2.3.8 anymore.
    Shouldn't the clients have the address of the servers eth1 (the LAN interface) as gateway, rather than the servers eth0 (the WAN interface).

    Another thing I'd try is logging traffic to see where it stops working:
    Code:
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -o eth0 -j LOG --log-prefix 'rule 1 '
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -o eth0 -j SNAT --to 1.2.3.4
    
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j LOG --log-prefix 'rule 2 '
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to 1.2.3.5
    
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.2/32 -o eth0 -j LOG --log-prefix 'rule 3 '
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.2/32 -o eth0 -j SNAT --to 1.2.3.6
    
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j LOG --log-prefix 'rule 4 '
    /sbin/iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j SNAT --to 1.2.3.7
    Can't tell an OS by it's GUI

  3. #3
    Just Joined!
    Join Date
    Oct 2009
    Posts
    2
    Hi,

    The internal machines are set up with the LAN router's ip's as gateway, i.e. 10.0.0.0/24 machines have 10.0.0.1 as gateway.

    I did try logging but nothing I could use came up.

    Thanks for your help

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •