Different public source IPs from NAT’ed internal servers?

[jeffrhysjones]

I have a couple of servers NATed behind a zeroshell box using the Virtual Server feature.

The ZeroShell box started off with a public IP of x.x.x.1

Then I created two new IPs on the public ETH0 network (in my public range) so I could use the Virtual Server feature to forward HTTP from each public IP to either server:

ETH 0

ZeroShell box has a public IP of x.x.x.1
Server A has a public IP of x.x.x.2
Server B has a public IP of x.x.x.3

ETH 1

Server A has a NAT’ed internal IP of 192.168.0.2
Server B has a NAT’ed internal IP of 192.168.0.3

Virtual Server NATs this inbound fine. The problem is with outbound traffic.

However, I can’t seem to find a configuration option to set the public IP of the server for outgoing traffic (SMTP for instance).

Both Server A and Server B show their ‘External’ public IP as being that first IP that was added to the Zeroshell box – x.x.x.1

Is there an easy way I can assign all traffic that goes from Server A 192.168.0.2 to appear that it is coming from x.x.x.2 and Server B 192.168.0.3 to appear that it’s come from x.x.x.3?

Some sort of SNAT script in startup perhaps?

Cheers,

Jeff

[jeffrhysjones]

Hi all – any takers on this one.

I’m sure it’s some sort of SNAT switch / option / script but I just can’t find it.

Many thanks in advance.

Jeff

[ppalias]

Hi,
according to what you ask the rule

iptables -t nat -A POSTROUTING --source 192.168.0.2 -j SNAT --to-source x.x.x.2

should do the work for you.
All you need is to place it on the appropriate line in iptables configuration.

[jeffrhysjones]

Thanks for that – could you let me know the best place to put this where I can easily update / add more of these?

I thought: > SETUP / Startup/Cron / NAT And Virtual Servers Script

Am I also right that in here I just hit the ‘test’ button to reload the script – or do any changes only take place on restart?

Cheers,

Jeff

[jeffrhysjones]

OK I have added the iptables line in to ‘NAT/Virtual Server Scripts’ – hit test & restarted the box also. However, when checking the external IP of the internal server on 192.168.0.2 – I’m still not getting the correct x.x.x.2 IP coming up – I’m still getting the first external IP which is x.x.x.1.

From IPTABLES – this shows that the scripted rule is in there (see bold)

Any ideas?

Cheers,

Jeff

>>>>>>>>>>>>>>>>>>>>>>>>>

Chain POSTROUTING (policy ACCEPT 6 packets, 698 bytes)
pkts bytes target prot opt in out source destination
303 21842 SNATVS all — * * 0.0.0.0/0 0.0.0.0/0
295 21051 MASQUERADE all — * ETH00 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all — * ETH02.252 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all — * ETH02.253 0.0.0.0/0 0.0.0.0/0
0 0 SNAT all — * * 192.168.0.2 0.0.0.0/0 to:x.x.x.2
8 791 OpenVPN all — * * 0.0.0.0/0 0.0.0.0/0

[jeffrhysjones]

Aha – I had MASQUERADE on – took it off the ETH0 interface, and this seems to work now!

Jeff

[imported_fulvio]

The problem is the sequence that is not correct. If you use the iptables command with -A switch, the rule is appended to the POSTROUTING chain. You should use the -I switch instead with which you can specify the position where to insert the rule. In other words try to replace

iptables -t nat -A POSTROUTING –source 192.168.0.2 -j SNAT –to-source x.x.x.2

with

iptables -t nat -I POSTROUTING 2 –source 192.168.0.2 -j SNAT –to-source x.x.x.2

Regards
Fulvio

[Author]

Posts