Iptables postrouting SNAT Does not Always Cause Packets to be SNAT'ed with Configured Source IP address in iptables rule

Issues related to configuring your network
Post Reply
rlam1298
Posts: 4
Joined: 2021/08/26 22:10:28

Iptables postrouting SNAT Does not Always Cause Packets to be SNAT'ed with Configured Source IP address in iptables rule

Post by rlam1298 » 2021/08/26 22:29:20

I configured a Linux server to have a secondary IP address and to use iptables POSTROUTING to perform source network address translation using the following commands.

ip addr add 10.11.195.99/25 dev eno3
iptables -t nat -A POSTROUTING -p udp -o eno3 -s
10.11.195.45 -d 239.168.45.222 -j SNAT --to 10.11.195.99:60003

This all works great such that tcpdump shows that the source IP address 10.11.195.45 is replaced with 10.11.195.99. However, there exists an intermittent issue during reconfiguration such that the next new Source IP address 10.11.195.212 is not used in the post routing causing the outgoing packets to still use the previous source IP address of 10.11.195.99. Below are the commands sent during the reconfiguration.

iptables -t nat -D POSTROUTING 1
ip addr del 10.11.195.99/25 dev eno3
ip addr add 10.11.195.212/25 dev eno3
iptables -t nat -A POSTROUTING -p udp -o eno3 -s 10.11.195.45 -d 239.168.45.222 -j SNAT --to 10.11.195.212:60003

tcpdump shows that the source IP address is still 10.11.195.99. During this time, I verified that the secondary IP address configuration is correct and has 10.11.195.212 and does not contain 10.11.195.99, and the iptables displayed show that POSTROUTING chain contains only one rule for the source IP/source port 10.11.195.212:60003.
The source IP address translation is not working intermittently during reconfiguration. Sometimes, the next new Source IP address will take affect, and I will see the SNAT'ed packets using the new Source IP address. Sometimes it does not work.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Iptables postrouting SNAT Does not Always Cause Packets to be SNAT'ed with Configured Source IP address in iptables

Post by jlehtone » 2021/08/27 16:12:49

Routing decision occurs before SNAT (as the chain name "POSTROUTING" implies).

You might need Policy-based Routing. See https://access.redhat.com/documentation ... ive-routes


PS. NetworkManager can easily have multiple addresses on a connection (ipv4.addresses). See man nmcli-examples.
However, NM does not solve the routing issue. It does support setting up policy-based routing though.

Post Reply