[CentOS] SNAT question

Peter Peltonen peter.peltonen at gmail.com
Sat Nov 28 14:41:54 UTC 2009


On Thu, Nov 26, 2009 at 1:17 AM, Tait Clarridge <tait at clarridge.ca> wrote:
>> >> <peter.peltonen at gmail.com> wrote:
>> >>> Hi,
>> >>>
>> >>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>> >>>
>> >>> I have the following setup:
>> >>>
>> >>> eth0: connects to internet with static public IP (obscured
>> >>> here for privacy)
>> >>> eth1: connects to DMZ with static public IP (obscured here for privacy)
>> >>> eth2: connects to LAN with static private IP
>> >>>
>> >>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
> I had to get the VPN address range masqueraded on the LAN as the gateway
> address.. so for example:
> VPN Server LAN IP: (not the real thing, but doesn't matter)
> VPN IP Range:
> So when I connect through OpenVPN, my tunnel adaptor is given an ip like
> (basically like a LAN, or your eth2).
> What I did in IPTABLES is the following (eth0 is the LAN connection for
> the VPN server)
> iptables -t nat -A POSTROUTING -s -o eth0 -j
> After that it worked. All connections to anything on the LAN appear as
> if I am coming from Just make sure that forwarding is
> enabled (I believe it is required for masquerade):
> cat /proc/sys/net/ipv4/ip_forward
> If it equals 0, change it to 1.
> You may want to remove all the other entries you tried to get
> LAN->Internet going to ensure there is nothing conflicting.

It appears my problems were somehow DNS related: I can't access my
ISPs DNS from LAN when masquerading is on (I can't understand why).
Using a nameserver in the DMZ solved my issues and everything seems to
work now ok.

Thanks for your help,

More information about the CentOS mailing list