iptables SNAt question

Fri Mar 30 07:03:20 UTC 2007

Hi there,

right now I have no idea what I am doing wrong here, maybe someone else
can help me here:

The setup (all boxes here are virtual Xen domains, but I don't think
that's an issue here):

Box "filter":

eth0 is on 10.0.0.1(/8), eth1 is on 192.168.9.14(/24)
Box can ping everything in both networks, and can contact the internet
via router at 192.168.9.1

Box "test":

eth0 is on 10.0.0.2(/8) and uses 10.0.0.1 as router

I'm using this minimal script to set-up SNAT/masquerading:

#!/bin/sh

EXT_IP=192.168.9.14
EXT_IFACE=eth1
EXT_NET=192.168.9.0/24

INT_IP=10.0.0.1
INT_IFACE=eth0
INT_NET=10.0.0.0/8

# Load the NAT module (this pulls in all the others).
modprobe iptable_nat
modprobe ip_conntrack

# flush all
iptables -F
iptables -t nat -F POSTROUTING
#iptables -X block

# set default policies
iptables -P INPUT   ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -P FORWARD ACCEPT

# SNAT for machines from internal network
# either of these rulse does not work
#iptables -t nat -A POSTROUTING -s $INT_NET -o $EXT_IFACE -j SNAT
# --to-source $EXT_IP
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

iptables -A INPUT -j LOG --log-prefix "INPUT: "
iptables -A FORWARD -j LOG --log-prefix "FORWARD: "
iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: "
iptables -t nat -I POSTROUTING -j LOG --log-prefix "POSTROUTING: "

# enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

---------------------------------------------------------

Running this, things so partially work, here is a log from a telnet
session to the webserver of an ubuntu mirror:

ar 29 11:55:27 filter kernel: [ 3089.907452] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9602 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 29 11:55:27 filter kernel: [ 3089.907472] POSTROUTING: IN= OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9602 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 29 11:55:27 filter kernel: [ 3089.932668] FORWARD: IN=eth1 OUT=eth0
SRC=141.76.2.3 DST=10.0.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF
PROTO=TCP SPT=80 DPT=3079 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Mar 29 11:55:27 filter kernel: [ 3089.933483] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9603 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK URGP=0
Mar 29 11:55:27 filter kernel: [ 3089.933509] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9604 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:28 filter kernel: [ 3090.157241] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9605 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:28 filter kernel: [ 3090.617251] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9606 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:29 filter kernel: [ 3091.537249] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9607 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:31 filter kernel: [ 3093.377272] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9608 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:34 filter kernel: [ 3096.340936] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9609 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK FIN URGP=0
Mar 29 11:55:34 filter kernel: [ 3096.366757] FORWARD: IN=eth1 OUT=eth0
SRC=141.76.2.3 DST=10.0.0.2 LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=64143 DF
PROTO=TCP SPT=80 DPT=3079 WINDOW=362 RES=0x00 ACK URGP=0
Mar 29 11:55:35 filter kernel: [ 3097.057235] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9610 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:40 filter kernel: [ 3102.585819] INPUT: IN=eth1 OUT=
MAC=01:00:5e:00:00:01:00:04:0e:b0:38:48:08:00 SRC=192.168.9.1
DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=3390 DF PROTO=2
Mar 29 11:55:42 filter kernel: [ 3104.417339] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9611 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:55:57 filter kernel: [ 3119.137298] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9612 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0
Mar 29 11:56:27 filter kernel: [ 3148.987359] FORWARD: IN=eth0 OUT=eth1
SRC=10.0.0.2 DST=141.76.2.3 LEN=195 TOS=0x00 PREC=0x00 TTL=63 ID=9613 DF
PROTO=TCP SPT=3079 DPT=80 WINDOW=2920 RES=0x00 ACK PSH URGP=0

----------------------------------------------------------------------

I guess there is something obvious I'm missing here, but can anyone give
me a small pointer to it?

Thanks a lot

Carsten