January 7, 2009 at 12:35 pm #41390
I have a couple of servers NATed behind a zeroshell box using the Virtual Server feature.
The ZeroShell box started off with a public IP of x.x.x.1
Then I created two new IPs on the public ETH0 network (in my public range) so I could use the Virtual Server feature to forward HTTP from each public IP to either server:
ZeroShell box has a public IP of x.x.x.1
Server A has a public IP of x.x.x.2
Server B has a public IP of x.x.x.3
Server A has a NAT’ed internal IP of 192.168.0.2
Server B has a NAT’ed internal IP of 192.168.0.3
Virtual Server NATs this inbound fine. The problem is with outbound traffic.
However, I can’t seem to find a configuration option to set the public IP of the server for outgoing traffic (SMTP for instance).
Both Server A and Server B show their ‘External’ public IP as being that first IP that was added to the Zeroshell box – x.x.x.1
Is there an easy way I can assign all traffic that goes from Server A 192.168.0.2 to appear that it is coming from x.x.x.2 and Server B 192.168.0.3 to appear that it’s come from x.x.x.3?
Some sort of SNAT script in startup perhaps?
JeffJanuary 12, 2009 at 7:04 pm #47364
Hi all – any takers on this one.
I’m sure it’s some sort of SNAT switch / option / script but I just can’t find it.
Many thanks in advance.
JeffJanuary 14, 2009 at 8:02 am #47365
according to what you ask the rule
iptables -t nat -A POSTROUTING --source 192.168.0.2 -j SNAT --to-source x.x.x.2
should do the work for you.
All you need is to place it on the appropriate line in iptables configuration.January 22, 2009 at 10:33 pm #47366
Thanks for that – could you let me know the best place to put this where I can easily update / add more of these?
I thought: > SETUP / Startup/Cron / NAT And Virtual Servers Script
Am I also right that in here I just hit the ‘test’ button to reload the script – or do any changes only take place on restart?
JeffJanuary 24, 2009 at 7:04 pm #47367
OK I have added the iptables line in to ‘NAT/Virtual Server Scripts’ – hit test & restarted the box also. However, when checking the external IP of the internal server on 192.168.0.2 – I’m still not getting the correct x.x.x.2 IP coming up – I’m still getting the first external IP which is x.x.x.1.
From IPTABLES – this shows that the scripted rule is in there (see bold)
Chain POSTROUTING (policy ACCEPT 6 packets, 698 bytes)
pkts bytes target prot opt in out source destination
303 21842 SNATVS all — * * 0.0.0.0/0 0.0.0.0/0
295 21051 MASQUERADE all — * ETH00 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all — * ETH02.252 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all — * ETH02.253 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all — * * 192.168.0.2 0.0.0.0/0 to:x.x.x.2
8 791 OpenVPN all — * * 0.0.0.0/0 0.0.0.0/0January 24, 2009 at 7:21 pm #47368
Aha – I had MASQUERADE on – took it off the ETH0 interface, and this seems to work now!
JeffJanuary 24, 2009 at 8:35 pm #47369
The problem is the sequence that is not correct. If you use the iptables command with -A switch, the rule is appended to the POSTROUTING chain. You should use the -I switch instead with which you can specify the position where to insert the rule. In other words try to replace
iptables -t nat -A POSTROUTING –source 192.168.0.2 -j SNAT –to-source x.x.x.2
iptables -t nat -I POSTROUTING 2 –source 192.168.0.2 -j SNAT –to-source x.x.x.2
You must be logged in to reply to this topic.