[CentOS] SNAT question

Tait Clarridge tait at clarridge.ca
Wed Nov 25 23:17:11 UTC 2009

On Thu, 2009-11-26 at 00:58 +0200, Peter Peltonen wrote:
> On Mon, Nov 23, 2009 at 4:31 PM, Peter Peltonen
> <peter.peltonen at gmail.com> wrote:
> > Hi,
> >
> > On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni at gmail.com> wrote:
> >> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
> >> <peter.peltonen at gmail.com> wrote:
> >>> Hi,
> >>>
> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
> >>>
> >>> I have the following setup:
> >>>
> >>> eth0: connects to internet with static public IP (obscured
> >>> here for privacy)
> >>> eth1: connects to DMZ with static public IP (obscured here for privacy)
> >>> eth2: connects to LAN with static private IP
> >>>
> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
> >>>
> >>> I tried masqueradig the LAN with following:
> >>>
> >>> ptables -A FORWARD -i eth2 -j ACCEPT
> >>> iptables -A FORWARD -o eth2 -j ACCEPT
> >>> iptables -A POSTROUTING -t nat -s -o eth0 -j SNAT
> >>> --to-source
> >>>
> >>> After this I can ssh to a server in the Internet from the LAN using
> >>> the server's IP address but not its name. The w command on the server
> >>> tells me that my address has not been masqueraded (its,
> >>> the LAN client's private IP).
> >>
> >> If you can ssh to a server on the Internet then your connectivity is
> >> working.  You might want to check if DNS is allowed and working from
> >> the LAN hosts to the Internet.
> >>
> >> The fact that 'w' shows your internal IP address is because you're
> >> connecting from the LAN to the gateway, which doesn't trigger the SNAT
> >> because it's not forwarding any packets... only accepting your
> >> connection.
> >
> > Hmm,I am SSHing not to the gateway but to a server in the Internet, so
> > shouldn't it masquerade the address and w show the gateway's IP and
> > not the client's -- isn't this the whole point of the SNAT?
> >
> > No other service than SSH seems to work. If I do "telnet mydnsip 53"
> > there is no response, it just hangs. I also have correct DNS in
> > /etc/resolv.conf.
> Nobody has any other ideas what I might be doing wrong here?
> Best,
> Peter

I had to get the VPN address range masqueraded on the LAN as the gateway
address.. so for example:

VPN Server LAN IP: (not the real thing, but doesn't matter)
VPN IP Range:

So when I connect through OpenVPN, my tunnel adaptor is given an ip like (basically like a LAN, or your eth2). 

What I did in IPTABLES is the following (eth0 is the LAN connection for
the VPN server)

iptables -t nat -A POSTROUTING -s -o eth0 -j

After that it worked. All connections to anything on the LAN appear as
if I am coming from Just make sure that forwarding is
enabled (I believe it is required for masquerade):

cat /proc/sys/net/ipv4/ip_forward

If it equals 0, change it to 1.

You may want to remove all the other entries you tried to get
LAN->Internet going to ensure there is nothing conflicting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20091125/93876074/attachment.sig>

More information about the CentOS mailing list