iptables POSTROUTING doesn't match local-process replies.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
iptables POSTROUTING doesn't match local-process replies.
Hello,
I need to change the source address of a reply packet leaving a machine running iptables. I am tring to accomplish this using POSTROUTING -j SNAT.
When a request comes into a server and is destined for a local process (i.e. apache, sshd, etc.) it's reply leaves the machine without ever touching the POSTROUTING chain-- the 'hit' counters (iptables -t nat -L POSTROUTING -n -v) never increment as a packet passes through, and my POSTROUTING -j SNAT rule never gets to mangle the packet's source address. POSTROUTING works file if the connection is being routed through a machine, and does not involve a local process.
I need to get this working to support a firmware-based load balancing device. In order to avoid out-of-state connections, I need to have the web server replies come from the same source address as the load balacing device's destination address, and therefore I need to translate the packets leaving the webserver.
Can any one explain to me how to get POSTROUTING to process packets leaving a local-process on a machine?
The packets do traverse the POSTROUTING chain...
However, the NAT is effective from the first handshake and once the stream is considered ESTABLISHED, no further packets pass to the chain.
Also you may need to be more specific in the rule to define which source is going to be SNATted.
The rules work best with interface definitions...
So, basically you're saying that if a packet already has an ESTABLISHED state, that it will then not traverse the POSTROUTING chain? This would seem to be consistent with the tests I've performed, where replies from the webserver (which, therefore are ESTABLISHED) don't seem to get modified.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.