[CentOS] SNAT question

Mon Nov 23 14:31:10 UTC 2009
Peter Peltonen <peter.peltonen at gmail.com>

Hi,

On Mon, Nov 23, 2009 at 4:15 PM, Giovanni Tirloni <tirloni at gmail.com> wrote:
> On Mon, Nov 23, 2009 at 12:10 PM, Peter Peltonen
> <peter.peltonen at gmail.com> wrote:
>> Hi,
>>
>> I am unable to get my LAN masqueraded using SNAT with CentOS 5.3 and iptables.
>>
>> I have the following setup:
>>
>> eth0: connects to internet with static public IP 1.2.3.1 (obscured
>> here for privacy)
>> eth1: connects to DMZ with static public IP 1.2.3.2 (obscured here for privacy)
>> eth2: connects to LAN with static private IP 192.168.0.1
>>
>> Traffic to hosts in the DMZ/Internet through eth0/1 work fine.
>>
>> I tried masqueradig the LAN with following:
>>
>> ptables -A FORWARD -i eth2 -j ACCEPT
>> iptables -A FORWARD -o eth2 -j ACCEPT
>> iptables -A POSTROUTING -t nat -s 192.168.0.0/24 -o eth0 -j SNAT
>> --to-source 1.2.3.1
>>
>> After this I can ssh to a server in the Internet from the LAN using
>> the server's IP address but not its name. The w command on the server
>> tells me that my address has not been masqueraded (its 192.168.0.2,
>> the LAN client's private IP).
>
> If you can ssh to a server on the Internet then your connectivity is
> working.  You might want to check if DNS is allowed and working from
> the LAN hosts to the Internet.
>
> The fact that 'w' shows your internal IP address is because you're
> connecting from the LAN to the gateway, which doesn't trigger the SNAT
> because it's not forwarding any packets... only accepting your
> connection.

Hmm,I am SSHing not to the gateway but to a server in the Internet, so
shouldn't it masquerade the address and w show the gateway's IP and
not the client's -- isn't this the whole point of the SNAT?

No other service than SSH seems to work. If I do "telnet mydnsip 53"
there is no response, it just hangs. I also have correct DNS in
/etc/resolv.conf.

Best,
Peter