[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: firewall rules for NAT



Le 30/06/2017 à 00:38, Igor Cicimov a écrit :
On 29 Jun 2017 6:32 pm, "Lucio Crusca" <lucio@sulweb.org> wrote:

Il 27/06/2017 23:35, Pascal Hambourg ha scritto:

Le 27/06/2017 à 13:29, Lucio Crusca a écrit :

-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100

If this rule is required, then your routing setup is wrong.

Thank you very much, that was the problem. My VMs were using the host
system as gateway instead of the router VM.

Ok, not sure though how does that change anything. As you said the email vm
was receiving traffic with the ip of the router vm as source and since they
are both on the same lan and connected to the same bridge I dont see how
the default gateway can make any difference? The return traffic was already
going through the router vm hence the need of the SNAT rule on it.

Stateful NAT requires symmetric routing, i.e. reply packets go through the router that did the NAT operations on original packets and keeps the state for these NAT operations.

With the host as gateway and without the SNAT rule, routing is asymmetric :
client -> router VM (DNAT) -> server VM
server VM -> host -> client

Reply trafic cannot be un-DNATed and communication fails.
The SNAT rule is a way to force reply traffic through the router VM, making the routing symmetric :
client -> router VM (DNAT+SNAT) -> server VM
server VM -> router VM (un-DNAT+un-SNAT) -> client

Making the router VM the default gateway for the server VM also makes routing symmetric without the need of SNAT :
client -> router VM (DNAT) -> server VM
server VM -> router VM (un-DNAT) -> client


Reply to: