Alain D D Williams wrote: > Hi, > > I have problems getting POSTROUTING to work on a Debian 10 box. > > Setup: > > INTERNET ... Broadband modem 192.168.108.1 > > Network internal to the Debian box for virtual machines 10.239.239.0/24 > > Debian has address 192.168.108.2 (interface enp3s0) and 10.239.239.254 > (interface br0) > > Processes on Debian 10 can talk to the Internet > > Processes on virtual machines (eg 10.239.239.23) can talk to the Debian > machine (ie 192.168.108.2) on which they are hosted. > > If on 10.239.239.23 I ping the BBC (212.58.249.145) and look with a packet > sniffer on the BB modem I see outgoing addresses 10.239.239.23 > > This should not happen. I am running an iptables firewall that should fix > this with the rule below: > > iptables -t nat -A POSTROUTING -s 10.239.239.0/24 -j SNAT --to-source > 192.168.108.2 > > I have tried variations like: > iptables -t nat -A POSTROUTING -o enp3s0 -j SNAT --to-source 192.168.108.2 > > > It is as if the POSTROUTING rule is being ignored. > > This seems to be confirmed by the output below which shows that 0 packets > have been through POSTROUTING. > > Can anyone shed any light on this ?
I remember it was not only the POSTROUTING. May be I am wrong, but I think FORWARD and OUTPUT is important. I also wonder why you are mixing up the -s and --to-source. You should be using the local address for -s and --to-source the translation (the outgoing addresses 10.239.239.23) I later switched to shorewall and since it is doing the iptables rules for me, so now I just have to put some values in a config and would have something like # iptables-save | grep eth0 :eth0_masq - [0:0] -A PREROUTING -i eth0 -j net_dnat -A POSTROUTING -o eth0 -j eth0_masq -A eth0_masq -s 192.168.xxx.0/24 -j SNAT --to-source 10.0.xxx.1 -A INPUT -i eth0 -j net-fw -A FORWARD -i eth0 -j net_frwd -A OUTPUT -o eth0 -j ACCEPT -A dmz_frwd -o eth0 -j dmz-net -A loc_frwd -o eth0 -j ACCEPT -A vpn_frwd -o eth0 -j vpn-net -- FCD6 3719 0FFB F1BF 38EA 4727 5348 5F1F DCFE BCB0