Find the answer to your Linux question:
Results 1 to 4 of 4
Hello everyone would be fine if anyone could help me out here I am working as a network admin at some company I have only one network , no subnetworks ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2013
    Posts
    2

    iptables SNAT on eth0 is NAT-ing my virtual networks


    Hello everyone would be fine if anyone could help me out here

    I am working as a network admin at some company

    I have only one network , no subnetworks

    I have server A (eth0 172.16.0.1/24, eth0:1 172.16.10.1/24 )
    and server B (eth0 172.16.0.2/24, eth0:1 172.16.10.2/24 )

    server A is acting as a gateway, but does not have an external interface , real router is on same 172.16.0.0 network

    since it is a company policy that only physical computers go out the read gateway i had server A act as a gateway for virtual ones

    on server A, iptables is acting as gate

    this is fine and all Vservers can go out now

    on server A iptables is :
    -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 172.16.0.1

    now , on a virtual server (B) , if i remove ip of eth0 , but leave eth0:1 , and have no route to server A ( or no route thru A`s eth0:1 ) then server A cannot communicate with server B thru eth0:1
    Server B can still ping ssh to A`s eth0:1

    if i remove the nat rule, then serverA can ping/ssh serverB thru eth0:1
    Also if i put masquerade instead of snat , the ping goes ok + ssh

    if i tcpdump on server B , while i ssh from A to B
    i see :

    15:02:16.871276 IP 172.16.0.1.53039 > 172.16.10.8.22: S 3918067363:3918067363(0) win 5840 <mss 1460,sackOK,timestamp 61061769 0,nop,wscale 7>

    So server A goes out with 172.16.0.1 instead of 172.16.10.1 and reached serverB at 172.16.10.8

    the problem goes away if i use different phisical interfaces

    I think iptables sees that 172.16.10.1 is on the same interface as eth0 and thinks it must be routed ,but why does it route local sub-inbterfaces ?

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    IPTABLES knows nothing about sub interfaces. Everything passing in and out of your box must travel over eth0.
    This is why you see what you see.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Jun 2013
    Posts
    2
    Quote Originally Posted by Lazydog View Post
    IPTABLES knows nothing about sub interfaces. Everything passing in and out of your box must travel over eth0.
    This is why you see what you see.
    I agree , since MASQUERADE is not an iptables module
    But thanks for answering anyway

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What are you talking about?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •