2

I've got a pair of hosts with very bad routing between the two, but I have a third host that has very good ping to each. To work around the bad routing, I'm setting up the third host to bounce packets back and forth between the two.

This third host has an IP address that isn't used for anything else. My ideal configuration would be, when host 1 sends a packet to host 3, host 3 automatically NATs the source and destination addresses, replacing source=host3 and destination=host2, then forwards the packet.

The inverse should be true: If host2 tries to respond, the packet should go back to host3, which will NAT it back to source=host3, destination=host1. No connection tracking is required -- this can be done entirely statelessly.

Where I'm stuck is in getting both DNAT and SNAT to work at the same time. It seems like, if a packet is handled by DNAT, it's automatically marked to skip the SNAT rules: the DNAT works fine, but the source address isn't getting translated.

What is the proper iptables configuration to achieve this?

CFSworks
  • 121
  • 3
  • 1
    The proper way to do this is to make the third host a VPN server. – Michael Hampton Sep 13 '13 at 23:22
  • Normally I would agree. However, this is a special case where neither end-host is VPN-aware, so the redirection must be completely transparent. – CFSworks Sep 13 '13 at 23:26
  • SNAT and DNAT rules work fine together, you just have to write the rules correctly, which can be a bit tricky because of the order of operations. One must happen before a routing and filtering is done, the other must be done afterwards. – Zoredache Sep 13 '13 at 23:38

1 Answers1

0

The strange behavior was due to CONNTRACK. SNAT and DNAT indeed work fine together if nothing else gets in the way.

Also, I've only configured the SNAT and DNAT in one direction. Because there is traffic constantly going through, SNAT and DNAT's automatic reverse translation take care of the return path for me.

CFSworks
  • 121
  • 3