iptables: How to combine DNAT and SNAT to use a secondary IP address?
Posted
by
Que_273
on Server Fault
See other posts from Server Fault
or by Que_273
Published on 2012-10-16T13:29:56Z
Indexed on
2012/10/17
17:05 UTC
Read the original article
Hit count: 219
There are lots of questions on here about iptables DNAT/SNAT setups but I haven't found one that solves my current problem.
I have services bound to the IP address of eth0 (e.g. 192.168.0.20) and I also have a IP address on eth0:0 (192.168.0.40) which is shared with another server. Only one server is active, so this alias interface comes and goes depending on which server is active. In order to get traffic accepted by the service a DNAT rule is used to change the destination IP.
iptables -t nat -A PREROUTING -d 192.168.0.40 -p udp --dport 7100 -j DNAT --to-destination 192.168.0.20
I also wish all outbound traffic from this service to appear to come from the shared IP, so that return responses will work in the event of a active-standby failover.
iptables -t nat -A POSTROUTING -p udp --sport 7100 -j SNAT --to-source 192.168.0.40
My problem is that the SNAT rule is not always run. Inbound traffic causes a connection tracking entry like this.
[root]# conntrack -L -p udp
udp 17 170 src=192.168.0.185 dst=192.168.0.40 sport=7100 dport=7100 src=192.168.0.20 dst=192.168.0.185 sport=7100 dport=7100 [ASSURED] mark=0 secmark=0 use=2
which means the POSTROUTING chain is not run and outbound traffic leaves with the real IP address as the source.
I am thinking I can set up a NOTRACK rule in the raw table to prevent conntracking for this port number, but is there a better or more efficient way to make this work?
Edit - Alternative question: Is there a way (in CentOS/Linux) to have an interface that can be bound to but not used, such that it can be attached to the network or detached when a shared IP address is swapped between servers?
© Server Fault or respective owner