iptables and nat

Hello all,

I have problem with iptable and nat. All I need to do is not nat packets
where destination address is 192.168.2.0/25 and 192.168.59.0/24 and
192.168.3.0./24

This is a fragment of my iptables script
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2
iptables -t nat -A POSTROUTING -d ! 192.168.2.0/24 -o eth0 -j SNAT --to
10.10.10.2
iptables -t nat -A POSTROUTING -d ! 192.168.59.0/24 -o eth0 -j SNAT --to
10.10.10.2
iptables -t nat -A POSTROUTING -d ! 192.168.3.0/24 -o eth0 -j SNAT --to
10.10.10.2

In my opinion every packets sent to 192.168.2.x or 192.168.3.x or
192.168.59.x shouldn't be nat.

What is wrong with this?

Thx,
Marcin Giedz

Marcin Giedz wrote:
>
> I have problem with iptable and nat. All I need to do is not nat packets
> where destination address is 192.168.2.0/25 and 192.168.59.0/24 and
> 192.168.3.0./24
>
> This is a fragment of my iptables script
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.2.0/24 -o eth0 -j SNAT --to
> 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.59.0/24 -o eth0 -j SNAT --to
> 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.3.0/24 -o eth0 -j SNAT --to
> 10.10.10.2

First, you're NATing all traffic where the destination is not
192.168.2.0/24. Then you're doing the same for 192.168.59.0/24 and
192.168.3.0/24. In other words, no matter what the destination IP is, a
packet is bound to match at least two of those rules.

KR wrote:

> Marcin Giedz wrote:
>>
>> I have problem with iptable and nat. All I need to do is not nat packets
>> where destination address is 192.168.2.0/25 and 192.168.59.0/24 and
>> 192.168.3.0./24
>>
>> This is a fragment of my iptables script
>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2
>> iptables -t nat -A POSTROUTING -d ! 192.168.2.0/24 -o eth0 -j SNAT --to
>> 10.10.10.2
>> iptables -t nat -A POSTROUTING -d ! 192.168.59.0/24 -o eth0 -j SNAT --to
>> 10.10.10.2
>> iptables -t nat -A POSTROUTING -d ! 192.168.3.0/24 -o eth0 -j SNAT --to
>> 10.10.10.2
>
> First, you're NATing all traffic where the destination is not
> 192.168.2.0/24. Then you're doing the same for 192.168.59.0/24 and
> 192.168.3.0/24. In other words, no matter what the destination IP is, a
> packet is bound to match at least two of those rules.

So how to write rules to not NATing these subnets?

Marcin

Marcin Giedz wrote:

> KR wrote:
>
>> Marcin Giedz wrote:
>>>
>>> I have problem with iptable and nat. All I need to do is not nat packets
>>> where destination address is 192.168.2.0/25 and 192.168.59.0/24 and
>>> 192.168.3.0./24
>>>
>>> This is a fragment of my iptables script
>>> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2
>>> iptables -t nat -A POSTROUTING -d ! 192.168.2.0/24 -o eth0 -j SNAT --to
>>> 10.10.10.2
>>> iptables -t nat -A POSTROUTING -d ! 192.168.59.0/24 -o eth0 -j SNAT --to
>>> 10.10.10.2
>>> iptables -t nat -A POSTROUTING -d ! 192.168.3.0/24 -o eth0 -j SNAT --to
>>> 10.10.10.2
>>
>> First, you're NATing all traffic where the destination is not
>> 192.168.2.0/24. Then you're doing the same for 192.168.59.0/24 and
>> 192.168.3.0/24. In other words, no matter what the destination IP is, a
>> packet is bound to match at least two of those rules.
>
> So how to write rules to not NATing these subnets?
>
> Marcin

Try this:

iptables -t nat -A POSTROUTING -d 192.168.2.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.59.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.3.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2


Kimmo

Marcin Giedz wrote:
> Hello all,
>
> I have problem with iptable and nat. All I need to do is not nat packets
> where destination address is 192.168.2.0/25 and 192.168.59.0/24 and
> 192.168.3.0./24
>
> This is a fragment of my iptables script
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.2.0/24 -o eth0 -j SNAT --to
> 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.59.0/24 -o eth0 -j SNAT --to
> 10.10.10.2
> iptables -t nat -A POSTROUTING -d ! 192.168.3.0/24 -o eth0 -j SNAT --to
> 10.10.10.2
>
> In my opinion every packets sent to 192.168.2.x or 192.168.3.x or
> 192.168.59.x shouldn't be nat.
>
> What is wrong with this?

This is a conceptional error.

I'm not going to go in-depth, which obviously I should do here, but I'll
have to add that later.

Firstly, please note that the order of the rules is significant. So if
You decide on the outgoing interface eth0, Your first rule here will
catch off all packets from the other rules. They will never be seen by
the packets in question.

Then, You're addressing the problem from the wrong direction:

Firstly, filter out the packets that You want to leave untouched, like
so:
iptables -t nat -A POSTROUTING -d 192.168.2.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.3.0/24 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -d 192.168.59.0/24 -o eth0 -j ACCEPT

, and then, insert Your "catch-all" rule:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.10.10.2

You're not tellng us anything about the environment these rules live
in, but perhaps You might want to MASQUERADE instead of SNAT.


Cheers, Jack.

--
----------------------------------------------------------------------
My personal reading of the string "MicroSoft" expands to "NanoWeak"...

THANK YOU ALL - marvellous :D

Marcin