[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SNAT does wrong port mapping?


I have a host with two ethernet addresses A and B. From another host I 
try to connect to B over the interface from A to make snmp queries:
        ------         ------
        client ------- A    B---
        ------        ------
Not the packets successfully are forwarded from the A interface to the B 
interface. The snmpd creates a reply packet but this then originates from
the address of interface A! This is a problem for me because my Firewall
doesn't find an established/related connection in it's conntrack table for

I tried to SNAT the outgoing packets with:
   iptables -t nat -A POSTROUTING -p udp --sport 161 -j SNAT --to-source
but then either the srcport is changed to an arbitrary value causing the
firewall to block the packet or, if I write "--to", there's
no packet send, although the POSTROUTING rule count increases and 
/proc/net/ip_conntrack shows a seemingly correct entry:
	udp      17 29 src= dst= sport=51558
	dport=161 [UNREPLIED] src= dst= sport=161 
	dport=51558 use=1 

Does anybody have a clue about this?

My goal was a host with many IPs (a router) which can be accessed by only
one IP that is independend from any real interface connection and that
makes connection with only this very same IP (important for ACLs on other


To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: