Masquerade traffic in forward chain

msport · September 27, 2017, 11:13am

Hi,

I have a router, router1, with some traffic passing trough it, via EOIP.

The EOIP interface on router1 has ip (example) 1.1.1.2/24 and the other end is router2, which holds the 1.1.1.0/24 network.
Router2 has this route: Dst: 3.3.3.0/24 Gw:1.1.1.2

Router1 also has a interface1, with ip 2.2.2.1/24

I need to masquerade all traffic coming trough the EOIP, from src: 1.1.1.0/24 to dst: 3.3.3.0/24, out via interface1

The traffic seems to be in the forward chain and the src-nat rule for masq, is not seeing it at all. Why is this not considered input traffic, and what can i do to force it into the src-nat chain?

Since the EOIP interface is a part of the src adress i want to masq, it should not be any different from any other masq setup?

–
Regards
Kim

pukkita · September 27, 2017, 11:22am

Post an export.

msport · September 27, 2017, 12:27pm

That would not be so easy, i would have to remove a lot of config and change up ip-addresses etc to anonymize.

Is the above explanation not enough to say if masq can be done or not?

ZeroByte · September 27, 2017, 3:59pm

A couple of tips:

It’s not the input chain because there is no input/output/forward chain structure in the NAT table - there is only srcnat and dstnat.

In the filter table, this would be forward because neither the source IP address in the packet nor the destination IP in the packet belongs to the router itself. If you’re doing dstnat to map some IP of the router into some other IP, then even that will not be “input” because dstnat happens before the filter table receives the packet. This causes the dst IP address to be the natted target, and not the original destination. Of course if your dstnat is to some other IP address of the router, then THAT would be input, but if you’re natting to some remote host, then it will be a packet that goes through the forward chain.

Also, do not confuse the next hop IP of an IP route with the destination IP of a packet. Suppose a packet with src=a.a.a.a and dst=z.z.z.z
Router P has a route where z.z.z.z is reachable via next hop=q.q.q.q
When router Q receives the packet, the src/dst IP addresses will be a.a.a.a / z.z.z.z (neither p.p.p.p nor q.q.q.q will be on the packet)
routers P and Q will appear as the src/dst MAC addresses - not the IP addresses.

Also - are all of these 1.1.1.0/24 2.2.2.0/24 3.3.3.0/24 address ranges public? If they’re private, there’s no need to obfuscate them…

Lastly, your problem states that you want to masquerade (an N:1 mapping scheme) 1.1.1.0/24 as 3.3.3.0/24 - which implies 1:1 mapping.
Just to clear up this imprecise use of terminology:
Do you want to map 1:1 so that IP 1.1.1.99 appears as 3.3.3.99 beyond the network, or that 1.1.1.X should all appear as a single 3.3.3.X address which is an IP interface of router1 ?
Masquerade is an N:1 mapping, so if you want 1:1 then you should use netmap instead of masquerade - and since netmap is stateless, you need a srcnat rule mapping 1.1.1.0/24 to 3.3.3.0/24 and a dstnat mapping 3.3.3.0/24 onto 1.1.1.0/24