Hello,
I have the following setup on linux 2.6.32... CentOS 6.x :
ipsec tunnel eth0-10.255.3.254/25 - eth1-pub add1 <-> eth1-pub add2 -
eth0-10.255.5.254/25
I am trying to SNAT remote private address 10.255.5.128/25 packets when
they come out of the ipsec tunnel to make it appear like it was from local
address 10.255.3.254. I am doing a source ping from the right side to a
device on the left subnet ping -I 10.255.5.254 10.255.3.129
but it doesn't work - see below.
iptables -t nat -I POSTROUTING -o eth0 -s 10.255.5.128/25 -d 10.255.3.128/25 -j
SNAT --to-source 10.255.3.254
Chain POSTROUTING (policy ACCEPT 6 packets, 456 bytes)
pkts bytes target prot opt in out source
destination
0 0 SNAT all -- * eth0 10.255.5.128/25 10.255.3.128/25
to:10.255.3.254
$ sudo tcpdump -nli eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:20:17.772396 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588,
seq
62, length 64
15:20:18.777272 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588,
seq
63, length 64
15:20:19.772572 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588,
seq
64, length 64
15:20:20.770681 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588,
seq
65, length 64
I would expect 10.255.5.254 to be replaced with 10.255.3.254 what am I missing?
Is this possible
I could do it when we were using FreeBSD.
I didn't find anything googling.
Thanks,
Steve
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
Never mind. I got it to work. I already had the ping going when I added the iptables SNAT rule, conntracking or route caching made it not work. I stopped the ping for a minute or so then restarted it and it worked and did the SNATing as I expected. On 10/13/2012 06:04 PM, Steve Clark wrote:> Hello, > > I have the following setup on linux 2.6.32... CentOS 6.x : > > ipsec tunnel eth0-10.255.3.254/25 - eth1-pub add1 <-> eth1-pub add2 - > eth0-10.255.5.254/25 > > I am trying to SNAT remote private address 10.255.5.128/25 packets when > they come out of the ipsec tunnel to make it appear like it was from local > address 10.255.3.254. I am doing a source ping from the right side to a > device on the left subnet ping -I 10.255.5.254 10.255.3.129 > but it doesn't work - see below. > > iptables -t nat -I POSTROUTING -o eth0 -s 10.255.5.128/25 -d 10.255.3.128/25 -j > SNAT --to-source 10.255.3.254 > > Chain POSTROUTING (policy ACCEPT 6 packets, 456 bytes) > pkts bytes target prot opt in out source destination > 0 0 SNAT all -- * eth0 10.255.5.128/25 10.255.3.128/25 > to:10.255.3.254 > > $ sudo tcpdump -nli eth0 icmp > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes > 15:20:17.772396 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq > 62, length 64 > 15:20:18.777272 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq > 63, length 64 > 15:20:19.772572 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq > 64, length 64 > 15:20:20.770681 IP 10.255.5.254 > 10.255.3.129: ICMP echo request, id 52588, seq > 65, length 64 > > I would expect 10.255.5.254 to be replaced with 10.255.3.254 what am I missing? > Is this possible > I could do it when we were using FreeBSD. > > I didn't find anything googling. > > Thanks, > Steve > >-- Stephen Clark *NetWolves* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.clark at netwolves.com http://www.netwolves.com