Author Topic: SNAT issue. (Read 1989 times)

JanJoh · « **on:** March 28, 2012, 12:06:37 am »

Im running Zentyal (Core is 2.2.7).

My system has multiple NIC's, but only two should be relevant.

eth0 is my uplink and has two public IP-adresses on the same subnet.( eth0 is x.y.z.140 and eth0:OpenVPNAS is x.y.z.133 )
eth5 is one of my internal NIC's and is 172.20.20.1/24

I have an OpenVPN-AS connected to eth5 as 17.20.20.20

I have a port forward from eth0:OpenVPNAS -> 172.20.20.20 and i have disabled SNAT for that rule. (I have tried it as enabled as well without any change in behaviour)
But, despite that my OpenVPN-AS shows all clients as having "Real Address" 172.20.20.1

If I am reading things right, my setup SHOULD mean that the clients public IP-adress should be shown as Real Address in OpenVPN-AS?

jsalamero · « **Reply #1 on:** March 28, 2012, 09:52:31 am »

I don't know how OpenVPN-AS checks src address, make sure you don't have any other NAT rules with iptables -t nat -L -n -v

JanJoh · « **Reply #2 on:** March 28, 2012, 11:44:23 am »

j2@timevortex:~$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 32385 packets, 7648K bytes)
pkts bytes target prot opt in out source destination
33106 7580K premodules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:443 to:192.168.41.20
258 14793 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:443 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:30080 to:192.168.41.30
88 5280 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:30080 to:192.168.41.30
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:110 to:192.168.41.20
438 21024 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:110 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.133 udp dpt:943 to:172.20.20.20
23 1196 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.133 tcp dpt:943 to:172.20.20.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:143 to:192.168.41.20
438 21024 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:143 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.133 udp dpt:443 to:172.20.20.20
14 720 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.133 tcp dpt:443 to:172.20.20.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:993 to:192.168.41.20
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:993 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:22333 to:192.168.41.20:25
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:22333 to:192.168.41.20:25
0 0 DNAT udp -- eth0 * 46.22.120.139 46.22.120.140 udp dpt:25 to:192.168.41.20
1 60 DNAT tcp -- eth0 * 46.22.120.139 46.22.120.140 tcp dpt:25 to:192.168.41.20
0 0 DNAT udp -- eth0 * 46.22.120.135 46.22.120.140 udp dpt:25 to:192.168.41.20
81 4536 DNAT tcp -- eth0 * 46.22.120.135 46.22.120.140 tcp dpt:25 to:192.168.41.20
0 0 DNAT udp -- eth0 * 46.22.120.138 46.22.120.140 udp dpt:25 to:192.168.41.20
0 0 DNAT tcp -- eth0 * 46.22.120.138 46.22.120.140 tcp dpt:25 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:995 to:192.168.41.20
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:995 to:192.168.41.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.133 udp dpt:22 to:172.20.20.20
2 120 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.133 tcp dpt:22 to:172.20.20.20
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:30022 to:192.168.41.30:22
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:30022 to:192.168.41.30:22
0 0 DNAT udp -- eth0 * 0.0.0.0/0 46.22.120.140 udp dpt:60022 to:192.168.41.20:22
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 46.22.120.140 tcp dpt:60022 to:192.168.41.20:22

Chain POSTROUTING (policy ACCEPT 3442 packets, 239K bytes)
pkts bytes target prot opt in out source destination
14976 1068K postmodules all -- * * 0.0.0.0/0 0.0.0.0/0
1216 61437 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
88 5280 SNAT all -- * * 0.0.0.0/0 192.168.41.30 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.30 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.139 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.139 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.135 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.135 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.138 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 46.22.120.138 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
39 2036 SNAT all -- * * 0.0.0.0/0 172.20.20.20 to:172.20.20.1
0 0 SNAT all -- * * 0.0.0.0/0 172.20.20.20 to:172.20.20.1
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.30 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.30 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
0 0 SNAT all -- * * 0.0.0.0/0 192.168.41.20 to:192.168.41.2
10673 792K SNAT all -- * eth0 !46.22.120.140 0.0.0.0/0 to:46.22.120.140

Chain OUTPUT (policy ACCEPT 3439 packets, 239K bytes)
pkts bytes target prot opt in out source destination

Chain postmodules (1 references)
pkts bytes target prot opt in out source destination

Chain premodules (1 references)
pkts bytes target prot opt in out source destination
j2@timevortex:~$

Cookies usage

Author Topic: SNAT issue. (Read 1989 times)

JanJoh

SNAT issue.

jsalamero

Re: SNAT issue.

JanJoh

Re: SNAT issue.