Different public source IPs from NAT’ed internal servers?

Forums Network Management Networking Different public source IPs from NAT’ed internal servers?

  • This topic is empty.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
  • #41390

    I have a couple of servers NATed behind a zeroshell box using the Virtual Server feature.

    The ZeroShell box started off with a public IP of x.x.x.1

    Then I created two new IPs on the public ETH0 network (in my public range) so I could use the Virtual Server feature to forward HTTP from each public IP to either server:

    ETH 0

    ZeroShell box has a public IP of x.x.x.1
    Server A has a public IP of x.x.x.2
    Server B has a public IP of x.x.x.3

    ETH 1

    Server A has a NAT’ed internal IP of
    Server B has a NAT’ed internal IP of

    Virtual Server NATs this inbound fine. The problem is with outbound traffic.

    However, I can’t seem to find a configuration option to set the public IP of the server for outgoing traffic (SMTP for instance).

    Both Server A and Server B show their ‘External’ public IP as being that first IP that was added to the Zeroshell box – x.x.x.1

    Is there an easy way I can assign all traffic that goes from Server A to appear that it is coming from x.x.x.2 and Server B to appear that it’s come from x.x.x.3?

    Some sort of SNAT script in startup perhaps?




    Hi all – any takers on this one.

    I’m sure it’s some sort of SNAT switch / option / script but I just can’t find it.

    Many thanks in advance.



    according to what you ask the rule

    iptables -t nat -A POSTROUTING --source -j SNAT --to-source x.x.x.2

    should do the work for you.
    All you need is to place it on the appropriate line in iptables configuration.


    Thanks for that – could you let me know the best place to put this where I can easily update / add more of these?

    I thought: > SETUP / Startup/Cron / NAT And Virtual Servers Script

    Am I also right that in here I just hit the ‘test’ button to reload the script – or do any changes only take place on restart?




    OK I have added the iptables line in to ‘NAT/Virtual Server Scripts’ – hit test & restarted the box also. However, when checking the external IP of the internal server on – I’m still not getting the correct x.x.x.2 IP coming up – I’m still getting the first external IP which is x.x.x.1.

    From IPTABLES – this shows that the scripted rule is in there (see bold)

    Any ideas?




    Chain POSTROUTING (policy ACCEPT 6 packets, 698 bytes)
    pkts bytes target prot opt in out source destination
    303 21842 SNATVS all — * *
    295 21051 MASQUERADE all — * ETH00
    0 0 MASQUERADE all — * ETH02.252
    0 0 MASQUERADE all — * ETH02.253
    0 0 SNAT all — * * to:x.x.x.2
    8 791 OpenVPN all — * *


    Aha – I had MASQUERADE on – took it off the ETH0 interface, and this seems to work now!



    The problem is the sequence that is not correct. If you use the iptables command with -A switch, the rule is appended to the POSTROUTING chain. You should use the -I switch instead with which you can specify the position where to insert the rule. In other words try to replace

    iptables -t nat -A POSTROUTING –source -j SNAT –to-source x.x.x.2


    iptables -t nat -I POSTROUTING 2 –source -j SNAT –to-source x.x.x.2


Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.