1

I have following setup:

ip addr:

2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 01:12:23:34:45:5f brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.xxx/24 brd xxx.xxx.xxx.xxx scope global ens4
       valid_lft forever preferred_lft forever
    inet 192.168.0.2/24 scope global ens4:1
       valid_lft forever preferred_lft forever
    inet 192.168.0.3/24 scope global secondary ens4:2
       valid_lft forever preferred_lft forever

I would like to have all traffic from 192.168.0.2 destined to 192.168.0.3 to show as if the source was 192.168.0.3.

The reason is I have speciffic configuration on postgres that I cannot change. This postgres is only accepting connections when source is 192.168.0.3, so if source becomes 192.168.0.2 then connection will be refused.

The above questions is result of answer received here: How to add ip route to route traffic through interface when destination is also that interface (it is not possible to change source IP address with static routes when two aliases are configured within the same network)

The answer to following question seems to be related to my question although it does not result in rule being added: https://unix.stackexchange.com/questions/243451/iptables-change-local-source-address-if-destination-address-matches

I already tried following nat rules:

iptables -t nat -A POSTROUTING -o ens4 -j MASQUERADE
iptables -A FORWARD -i ens4 --source 192.168.0.2/32 -o 192.168.0.3 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens4 --source 192.168.0.2/32 -o 192.168.0.3 -j ACCEPT

Above derived from here: http://www.revsys.com/writings/quicktips/nat.html

Greg0ry
  • 107
  • 1
  • 12
  • Have you tried a proxy? Will it accept connections from `127.0.0.1`? – chicks May 14 '17 at 02:06
  • My postgres is configured in such a way that it knocks to `192.168.0.3` and never to `127.0.0.1` (I have no control over this configuration, it's part of bigger setup that I'm not maintainer of). My problem is that if it knocks to `192.168.0.3` it tries to do this from `192.168.0.2` and not from `192.168.0.3`. Proxy is not an option unfortunately. – Greg0ry May 14 '17 at 22:23
  • Please, can you confirm that your Postgresql is running on the very same node, where you have both `192.168.0.2` and `192.168.0.3` addresses configured? Also, please, can you tell us *HOW* you're going to connect to Postgresql: with `psql`? with a custom script? perl? python? PHP? other? – Damiano Verzulli May 15 '17 at 20:19
  • There can be other postgresql nodes communicating with this node and they should connect only via `192.168.0.3` . Clients connect only via `192.168.0.3`. – Greg0ry May 16 '17 at 16:41

2 Answers2

4

I've checked answer that you mentioned in your question and tried to configure iptables like it was mentioned there. Tested with nginx on my virtual machine with CentOS and it works.

Try to use this rule:

iptables -t nat -A POSTROUTING --destination 192.168.0.3/32 -j SNAT --to-source 192.168.0.3

In my case this rule work even with disabled IP Forwarding, so try it.

Update:

For all outgoing traffic you shoud use rule:

iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.0.3
Alexander Tolkachev
  • 4,608
  • 3
  • 14
  • 23
  • Will this work only for traffic originating from `192.168.0.2` (i.e. local interface)? I wonder how would this affect other traffic destined to `192.168.0.3`, originating from other hosts. I have been reading and it seems if I have two aliases then traffic from one alias to another goes through lo, does not even reach network (I'm not sure how far/close it is). So I'm now testing just enabling lo within my `pg_hba.conf`. But I'll give your advice a go too. – Greg0ry May 16 '17 at 00:15
  • @Greg0ry this rule should affect only traffic from local machine, other machines in network will work as they work. – Alexander Tolkachev May 16 '17 at 07:00
1

Type ip route get 192.168.0.3 to see what route is actually taken.

On my box (debian), I was able to do what you want by typing:

sudo ip route change local 192.168.0.3 dev lo src 192.168.0.3

Also, don't know which tools you're using to connect to 192.168.0.3, but most of them will let you specify which IP source to use.

Xavier Nicollet
  • 620
  • 4
  • 10