0

I have an iptables rule that translates requests to the same IP from different internal hosts by changing the source port.

iptables -t NAT -A POSTROUTING -p TCP -d 173.32.1.2 --dport 873 \
-m state --state NEW,ESTABLISHED -j SNAT --to-source 173.32.1.1:44000-44300

How do I handle responses from that host? How can I match the destination port of the reply packet to the IP of the internal host that's expecting it? This is what I have:

iptables -t NAT -A PREROUTING -p TCP -s 173.32.1.1 --sport 873 \
-m state --state ESTABLISHED -j DNAT --to-destination # what do I put here?

An example of what I'm trying to achieve:

Two hosts, 192.168.1.3 and 192.168.1.4, both try to start a connection with 173.32.1.2. The NAT changes the outgoing packets' source address and source port to respectively 173.32.1.1 : 44000 and 173.32.1.1 : 44001.

The target 173.32.1.2 replies to both of them, with address and port destinations 173.32.1.1 : 44000 and 173.32.1.1 : 44001. Now I want to forward these packets to the original senders, the first to 192.168.1.3 and the second to 192.168.1.4.

devil0150
  • 101
  • 4
  • 1
    What are you trying to achieve? What do you mean by "handle responses from that host" ? – ALex_hha Apr 28 '16 at 19:46
  • I'll edit the post with an example. – devil0150 Apr 28 '16 at 19:49
  • Is 173.32.1.1 a default router for 192.168.1.3 and .4? Why do you think that source port will be changed to 40000 and 40001? – ALex_hha Apr 28 '16 at 21:03
  • @ALex_hha Yes it's the default router. For the example, I chose two ports at random from the range I specified. They need to be changed, so the destination can tell the two sending hosts apart. – devil0150 Apr 28 '16 at 21:07
  • There is no need in DNAT rule, SNAT will be enough. The default router (173.32.1.1) will find the original source ip (192.168.1.3 and 192.168.1.4) using connection tracking info, imho – ALex_hha Apr 29 '16 at 08:04

0 Answers0