subject:"\[CentOS\] snat packet going out a bridge"

Re: [CentOS] snat packet going out a bridge

2016-01-21 Thread Steve Clark


On 01/20/2016 04:21 PM, Gordon Messmer wrote:

On 01/20/2016 09:55 AM, Steve Clark wrote:

Any ideas?

IP forwarding needs to be enabled, and you also need rules in your
FORWARD chain to allow the packets.


Thanks, but  forwarding is turned on and my FW rules are empty.

Chain INPUT (policy ACCEPT 359K packets, 136M bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 55801 packets, 4736K bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 319K packets, 141M bytes)
 pkts bytes target prot opt in out source destination



--
Stephen Clark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] snat packet going out a bridge

2016-01-21 Thread Gordon Messmer


On 01/21/2016 03:49 AM, Steve Clark wrote:
Thanks, but  forwarding is turned on and my FW rules are empty. 


Try specifying the physical device the packets are going out, rather 
than the bridge, in your postrouting rule.


Apparently you also need an ebtables rule to prevent the return packets 
from being merely bridged?

http://serverfault.com/questions/349688/iptables-bridge-nat-setup

I'd test it, but have a look if you get the outbound traffic working and 
return traffic doesn't.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] snat packet going out a bridge

2016-01-21 Thread Eliezer Croitoru


On 20/01/2016 19:55, Steve Clark wrote:


So I want traffic coming in eth5 with 10.10.0.x addresses to be source
natted to 192.168.100.3.
But my iptables nat statement never gets hit.

Chain POSTROUTING (policy ACCEPT 172 packets, 31384 bytes)
  pkts bytes target prot opt in out source
destination
 0 0 SNAT   all  --  *  xbrdg0 0.0.0.0/0
0.0.0.0 to:192.168.100.3
29  1933 MASQUERADE  all  --  *  tun+ 0.0.0.0/0
0.0.0.0/0

# ping -I 10.10.0.1 8.8.8.8


First you should try to match without SNAT at all with a simple log 
target and see if it matches.

I would start with:
iptables -t nat -I POSTROUTING -s 10.0.0.1 -o xbrdg0 -j LOG --log-prefix 
"Should-SNAT: " --log-level 4


And then:
iptables -t nat -I POSTROUTING -s 10.0.0.1 -o xbrdg0 -j SNAT --to-source 
192.168.100.3


And see what happens.
Also there might be something about this bridge settings and it maybe 
needs the "-o eth1" but it would be a bit weird.


Eliezer
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] snat packet going out a bridge

2016-01-20 Thread Gordon Messmer


On 01/20/2016 09:55 AM, Steve Clark wrote:
Any ideas? 


IP forwarding needs to be enabled, and you also need rules in your 
FORWARD chain to allow the packets.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] snat packet going out a bridge

2016-01-20 Thread Steve Clark


Hi List,

I am running into a problem where I have 2 interfaces bridged with and ip 
address assigned.

I have another interface in which traffic has ingress traffic that needs to go 
out the bridged interface.
I am trying unsuccessfully to SNAT the traffic leaving the bridge interface to 
its assigned address.

# brctl show xbrdg0
bridge name bridge id   STP enabled interfaces
xbrdg0  8000.000c297aa55f   no  eth0
eth1
# ip a s xbrdg0
11: xbrdg0:  mtu 1500 qdisc noqueue state 
UNKNOWN
link/ether 00:0c:29:7a:a5:5f brd ff:ff:ff:ff:ff:ff
inet 192.168.100.3/24 scope global xbrdg0

# ip a s eth5
7: eth5:  mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:0c:29:7a:a5:7d brd ff:ff:ff:ff:ff:ff
inet 10.10.0.1/29 scope global eth5

default via 192.168.100.1 dev xbrdg0

So I want traffic coming in eth5 with 10.10.0.x addresses to be source natted 
to 192.168.100.3.
But my iptables nat statement never gets hit.

Chain POSTROUTING (policy ACCEPT 172 packets, 31384 bytes)
 pkts bytes target prot opt in out source   destination
0 0 SNAT   all  --  *  xbrdg0 0.0.0.0/00.0.0.0  
   to:192.168.100.3
   29  1933 MASQUERADE  all  --  *  tun+ 0.0.0.0/00.0.0.0/0

# ping -I 10.10.0.1 8.8.8.8

# tcpdump -nli xbrdg0 icmp or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xbrdg0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:52:06.914295 IP 10.10.0.1 > 8.8.8.8: ICMP echo request, id 38932, seq 1, 
length 64
12:52:07.914592 IP 10.10.0.1 > 8.8.8.8: ICMP echo request, id 38932, seq 2, 
length 64
12:52:08.914579 IP 10.10.0.1 > 8.8.8.8: ICMP echo request, id 38932, seq 3, 
length 64

Any ideas?

Thanks,
Steve

--
Stephen Clark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] snat packet going out a bridge

Re: [CentOS] snat packet going out a bridge

Re: [CentOS] snat packet going out a bridge

Re: [CentOS] snat packet going out a bridge

[CentOS] snat packet going out a bridge

5 matches

Site Navigation

Mail list logo

Footer information