[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SNAT out same interface packets come in



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a setup which is confusing me regarding SNAT.

Basically the network looks like:
- ------------
| Firewall |
- ------------
~     |
~     |
~ ----------
~ | Router |-------------> Internet
~ ----------
~    |||
~    |||
~ ----------------------------------------
| Customers on 192.168.17.0/24 addresses |
~ ----------------------------------------

Customers trying to connect to services on the internet send traffic to
the router which forwards it to the firewall box.  The firewall box then
needs to NAT these packets and send them back out the same interface to
the router.  The router then will send these packets (now with source
address of the firewall) out to the internet.

How do you do this?  Is it possible?

I was thinking having a POSTROUTING rule like:
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.17.0/24 \
~    -j SNAT --to-source $INET_IPADDR

And then two FORWARD rules like:
$IPTABLES -A FORWARD -i eth0 -o eth0 -s 192.168.17.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth0 -d 192.168.17.0/24 -j ACCEPT

Notice that in interface and the out interface are both eth0.  I am
confused about this.  Can you even have a rule on the FORWARD chain
which goes in and out the same interface?

If anyone can enlighten me I would be grateful.

Regards.
Mark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+0wVUL/zYpWVgapgRAmaJAJ0c0mHCnR9/E8o6LlMidVhk0Xas6QCcDWqe
lPJaGWutaWpgMtm1XwnvBFA=
=aTk+
-----END PGP SIGNATURE-----



Reply to: