I need to change the external IP address based on source IP address

Question

I'm running an iptables firewall with 5 aliased ip addresses (actual ip 10.64.18.1). This machine is also my gateway out for all internal machines (192.168.18.*). My problem is, when 192.168.18.65 goes out, I need my gateway to say the IP is 10.64.18.107 and not 10.64.18.1. Is this possible? Is there a postrouting command that will do this?

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [276:56637]

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i br1 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o br1 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 2048:2248 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

*nat
:PREROUTING ACCEPT [1558:188540]
:POSTROUTING ACCEPT [55:4040]
:OUTPUT ACCEPT [87:6458]
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.107 --dport 2048:2248 -j DNAT --to-destination 192.168.18.65
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.146 --dport 53 -j DNAT --to-destination 192.168.18.50:53
-A PREROUTING -i br1 -p udp -m udp -d 10.64.18.146 --dport 53 -j DNAT --to-destination 192.168.18.50:53
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.144 --dport 21 -j DNAT --to-destination 192.168.18.60:21
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.144 --dport 22 -j DNAT --to-destination 192.168.18.60:22
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.126 --dport 22 -j DNAT --to-destination 192.168.18.126:22
-A PREROUTING -i br1 -p tcp -m tcp -d 10.64.18.118 --dport 22 -j DNAT --to-destination 192.168.18.118:22
-A POSTROUTING -o br1 -j MASQUERADE
COMMIT

score 4 · Accepted Answer · answered Aug 14 '12 at 21:46

4

Use source nat (SNAT) rules instead of MASQUERADE. This lets you control the source address, so you can do something like this:

iptables -t nat -A POSTROUTING -o br1 \
  -s 192.168.18.65 -j SNAT --to-source 10.64.18.107

And so forth.

If you take a look at the iptables man page, you'll find the following in the description of the MASQUERADE option:

It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target.

answered Aug 14 '12 at 21:46

larsks

43,623
14
121
180

Whoops, it looks like you deleted your comment. In any case: Is the `SNAT` rule for 10.64.18.107 matching? That is, when you look at it, is the packet count increasing as packets attempt to go out? – larsks Aug 14 '12 at 22:35
Sorry. I realized that I probably need to edit the routing table on the gateway for the aliased IP. I haven't had time to play with it yet though. I'll look at it tomorrow. Thanks for your help with this. I think you pointed me in the right direction. – dan Aug 14 '12 at 23:46
It started working today... I changed "-A POSTROUTING -o br1 -j MASQUERADE" to "-A POSTGROUTING -o br1 -J SNAT --to-source 10.64.18.1" and added "-A POSTROUTING -o br1 -s 192.168.18.65 -j SNAT --to-source 10.64.18.107" right above it and it works great. Thank you so much! – dan Aug 15 '12 at 17:32
I'm glad it helped! It would be nice if you could mark this answer as "accepted" by checking the checkmark to the left of the answer. – larsks Aug 15 '12 at 20:39

I need to change the external IP address based on source IP address

1 Answers1