Otdfbt

UTC timestamp format for launch vehicles

Is an entry level DSLR going to shoot nice portrait pictures?

Is it possible to have 2 different but equal size real number sets that have the same mean and standard deviation?

Fermat's statement about the ancients: How serious was he?

Separate SPI data

Origin of "boor"

What would be the way to say "just saying" in German? (Not the literal translation)

Which languages would be most useful in Europe at the end of the 19th century?

If there's something that implicates the president why is there then a national security issue? (John Dowd)

How can I end combat quickly when the outcome is inevitable?

Is it expected that a reader will skip parts of what you write?

Why is long-term living in Almost-Earth causing severe health problems?

New bike, tubeless tire will not inflate

Who won a Game of Bar Dice?

Excel division by 0 error when trying to average results of formulas

What does 思ってやっている mean?

How to “listen” to existing circuit

Why not invest in precious metals?

Live action TV show where High school Kids go into the virtual world and have to clear levels

Are polynomials with the same roots identical?

Why was this person allowed to become Grand Maester?

Solve Riddle With Algebra

Why can my keyboard only digest 6 keypresses at a time?

What are neighboring ports?

Simultaneous iptables POSTROUTING for SNAT and MASQUERADE block outgoing ssh

SNAT in IP6TablesMultiple interfaces: route packets to specific interfaceConfusion Post FedoraCore Upgrade: NAT / port forwarding trouble, and POSTROUTING MASQUERADE has unexpected influence on forwarding portsIPTABLES nat maintaining source IP address with CSFLinux Port Forwarding to different IPsConfig differents external proxy to every VM with iptablesAlternative to NETMAP option on iptables configport forwarding to backend serverConntrack is blocking UDP NAT

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

I am using iptables on a virtualized host to distribute services using one IP to different virtual machines(VMs). This works well with DNAT in PREROUTING and SNAT in POSTROUTING. Furthermore I am able to access the internet from the virtual machine by using MASQUERADE in the POSTROUTING.

My problems start, if I try to use ssh from a VM that provides the webserver and has SNAT configured for packets coming from this VM. It only works, once I disable SNAT.

Is it possible to limit SNAT to replies to external request (eg. webserver requests, incoming FTP or DNS) while masquerading traffic originating from the VM? Interestingly, simple things like wget from the VM work correctly.

The relevant part from iptables:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -p udp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

iptables

share|improve this question

asked Jun 16 '14 at 4:39

MartinMartin

241210

add a comment | 

0

I am using iptables on a virtualized host to distribute services using one IP to different virtual machines(VMs). This works well with DNAT in PREROUTING and SNAT in POSTROUTING. Furthermore I am able to access the internet from the virtual machine by using MASQUERADE in the POSTROUTING.

My problems start, if I try to use ssh from a VM that provides the webserver and has SNAT configured for packets coming from this VM. It only works, once I disable SNAT.

Is it possible to limit SNAT to replies to external request (eg. webserver requests, incoming FTP or DNS) while masquerading traffic originating from the VM? Interestingly, simple things like wget from the VM work correctly.

The relevant part from iptables:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -p udp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

iptables

share|improve this question

asked Jun 16 '14 at 4:39

MartinMartin

241210

add a comment | 

I am using iptables on a virtualized host to distribute services using one IP to different virtual machines(VMs). This works well with DNAT in PREROUTING and SNAT in POSTROUTING. Furthermore I am able to access the internet from the virtual machine by using MASQUERADE in the POSTROUTING.

My problems start, if I try to use ssh from a VM that provides the webserver and has SNAT configured for packets coming from this VM. It only works, once I disable SNAT.

Is it possible to limit SNAT to replies to external request (eg. webserver requests, incoming FTP or DNS) while masquerading traffic originating from the VM? Interestingly, simple things like wget from the VM work correctly.

The relevant part from iptables:

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -p udp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

iptables

share|improve this question

asked Jun 16 '14 at 4:39

MartinMartin

241210

:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p tcp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -p udp -s 192.168.x.y -o xenbr1 -j SNAT --to a.b.c.d
-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

share|improve this question

asked Jun 16 '14 at 4:39

MartinMartin

241210

share|improve this question

asked Jun 16 '14 at 4:39

MartinMartin

241210

asked Jun 16 '14 at 4:39

MartinMartin

241210

asked Jun 16 '14 at 4:39

MartinMartin

241210

1 Answer
1

active

oldest

votes

0

Replace

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

With

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o <internet interface> -j MASQUERADE

in the configuration. This makes sure that only packets routed to the outgoing interface of dom0 will be masqueraded.

share|improve this answer

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f605358%2fsimultaneous-iptables-postrouting-for-snat-and-masquerade-block-outgoing-ssh%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Replace

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

With

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o <internet interface> -j MASQUERADE

in the configuration. This makes sure that only packets routed to the outgoing interface of dom0 will be masqueraded.

share|improve this answer

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

add a comment | 

0

Replace

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

With

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o <internet interface> -j MASQUERADE

in the configuration. This makes sure that only packets routed to the outgoing interface of dom0 will be masqueraded.

share|improve this answer

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

add a comment | 

Replace

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

With

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o <internet interface> -j MASQUERADE

in the configuration. This makes sure that only packets routed to the outgoing interface of dom0 will be masqueraded.

share|improve this answer

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE

-A POSTROUTING -s 192.168.0.0/255.255.0.0 -o <internet interface> -j MASQUERADE

share|improve this answer

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844

answered Jun 16 '14 at 17:38

Tero KilkanenTero Kilkanen

20.7k22844