iptables: How to combine DNAT and SNAT to use a secondary IP address?

Posted by Que_273 on Server Fault See other posts from Server Fault or by Que_273
Published on 2012-10-16T13:29:56Z Indexed on 2012/10/17 17:05 UTC
Read the original article Hit count: 219

Filed under:
|

There are lots of questions on here about iptables DNAT/SNAT setups but I haven't found one that solves my current problem.
I have services bound to the IP address of eth0 (e.g. 192.168.0.20) and I also have a IP address on eth0:0 (192.168.0.40) which is shared with another server. Only one server is active, so this alias interface comes and goes depending on which server is active. In order to get traffic accepted by the service a DNAT rule is used to change the destination IP.

iptables -t nat -A PREROUTING -d 192.168.0.40 -p udp --dport 7100 -j DNAT --to-destination 192.168.0.20

I also wish all outbound traffic from this service to appear to come from the shared IP, so that return responses will work in the event of a active-standby failover.

iptables -t nat -A POSTROUTING -p udp --sport 7100 -j SNAT --to-source 192.168.0.40

My problem is that the SNAT rule is not always run. Inbound traffic causes a connection tracking entry like this.

[root]# conntrack -L -p udp
udp      17 170 src=192.168.0.185 dst=192.168.0.40 sport=7100 dport=7100 src=192.168.0.20 dst=192.168.0.185 sport=7100 dport=7100 [ASSURED] mark=0 secmark=0 use=2

which means the POSTROUTING chain is not run and outbound traffic leaves with the real IP address as the source.

I am thinking I can set up a NOTRACK rule in the raw table to prevent conntracking for this port number, but is there a better or more efficient way to make this work?

Edit - Alternative question: Is there a way (in CentOS/Linux) to have an interface that can be bound to but not used, such that it can be attached to the network or detached when a shared IP address is swapped between servers?

© Server Fault or respective owner

Related posts about iptables

Related posts about nat