[CentOS] SNAT question

Mon Nov 23 14:15:38 UTC 2009
Giovanni Tirloni <tirloni at gmail.com>

On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
<peter.peltonen at gmail.com> wrote:
> Hi,
>
> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>
> I have the following setup:
>
> eth0: connects to internet with static public IP 1.2.3.1 (obscured
> here for privacy)
> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
> eth2: connects to LAN with static private IP 192.168.0.1
>
> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>
> I tried masqueradig the LAN with following:
>
> ptables -A FORWARD -i eth2 -j ACCEPT
> iptables -A FORWARD -o eth2 -j ACCEPT
> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
> --to-source 1.2.3.1
>
> After this I can ssh to a server in the Internet from the LAN using
> the server's IP address but not its name. The w command on the server
> tells me that my address has not been masqueraded (its 192.168.0.2,
> the LAN client's private IP).

If you can ssh to a server on the Internet then your connectivity is
working.  You might want to check if DNS is allowed and working from
the LAN hosts to the Internet.

The fact that 'w' shows your internal IP address is because you're
connecting from the LAN to the gateway, which doesn't trigger the SNAT
because it's not forwarding any packets... only accepting your
connection.

-- 
Giovanni.