Reply To: How to tell if VLAN is not NAT’d

Home Page Forums Network Management Networking How to tell if VLAN is not NAT’d Reply To: How to tell if VLAN is not NAT’d

#49651

wifiguy
Member

@ppalias wrote:

Okay remove the ETH00 from the “NAT Enabled Interfaces”. Then add a specific iptables command.


iptables -t nat -I POSTROUTING 1 --src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 --src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 --src 152.93.0.0/16 -o ETH00 -j MASQUERADE

Ok. So I have tried this several ways.

Way 1:
Eth01, eth01.20, eth01.30 and eth01.70 in the NAT Enabled Interfaces with the following IP TAbles.

iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o eth1.20 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 192.168.1.0/24 -o eth1.30 -j MASQUERADE
iptables -t nat -I POSTROUTING 1 –src 152.93.0.0/16 -o eth1.70 -j MASQUERADE

The iptables -t nat -L -v result is:

root@fw root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 22 packets, 2606 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 38 packets, 2966 bytes)
pkts bytes target prot opt in out source destination
37 3430 SNATVS all — any any anywhere anywhere
3 704 MASQUERADE all — any ETH01 anywhere anywhere
0 0 MASQUERADE all — any ETH01.20 anywhere anywhere
0 0 MASQUERADE all — any ETH01.30 anywhere anywhere
0 0 MASQUERADE all — any ETH01.70 anywhere anywhere

Chain OUTPUT (policy ACCEPT 41 packets, 3670 bytes)
pkts bytes target prot opt in out source destination

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

I also tried it with no interfaces in the Nat Enabled Interface using the following IP Tables:

iptables -t nat -I POSTROUTING 1 –src 172.30.0.0/16 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 2 –src 192.168.1.0/24 -o ETH00 -j MASQUERADE
iptables -t nat -I POSTROUTING 3 –src 152.93.0.0/16 -o ETH00 -j MASQUERADE

The output iptables -t nat -L -v result

root@fw root> iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 194 packets, 16902 bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 243 packets, 18350 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all — any eth1.70 152.93.0.0/16 anywhere
0 0 MASQUERADE all — any eth1.30 192.168.1.0/24 anywhere
0 0 MASQUERADE all — any eth1.20 172.30.0.0/16 anywhere
0 0 MASQUERADE all — any ETH00 172.30.0.0/16 anywhere
0 0 MASQUERADE all — any ETH00 192.168.1.0/24 anywhere
0 0 MASQUERADE all — any ETH00 152.93.0.0/16 anywhere
239 18110 SNATVS all — any any anywhere anywhere

Chain OUTPUT (policy ACCEPT 70 packets, 5525 bytes)
pkts bytes target prot opt in out source destination

Chain SNATVS (1 references)
pkts bytes target prot opt in out source destination

eitherway, it appears as though it’s not NAT’ing anything. I can’t get out from behind interfaces eth01.20, 30, or 70 that are supposed to be NAT’d.

Thoughts?