8

If I set up a Linux iptables MASQUERADE rule for traffic going out of a specific interface, but that interface has multiple IP addresses, how does the source IP get chosen?

As an example, let's suppose I add a rule like:

$ iptables -t nat -A POSTROUTING -o eno1 -j MASQUERADE

…and that interface looks like:

$ ip addr show dev eno1
1: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 94:18:82:35:a2:c1 brd ff:ff:ff:ff:ff:ff
    inet 10.136.122.97/24 scope global eno1
       valid_lft forever preferred_lft forever
    inet 10.136.122.98/24 scope global eno1
       valid_lft forever preferred_lft forever
obeattie
  • 304
  • 1
  • 6
  • 13
  • Did you achieved the expected behaviour following my answer? – Marco Aug 27 '17 at 13:56
  • @Marco No, I'm not clear what "first IP of the octet" means? However, I think I have found the answer to my own question – Linux installs a default route for the interface when the first address is added with that address as the `src`. – obeattie Sep 17 '17 at 13:31
  • that's what I meant. If you set 10.0.0.1-10.0.0.10 it will come out from the first ip. TY anyway for the downvote's explanation. – Marco Sep 17 '17 at 13:47

2 Answers2

5

The masquerade selects an address in the same way as the source address is selected in routing.

So, you can use ip route get <dst> command to determine the address what will be used as the source address after masquerading.

If you interested in more details, you can look into the source code.

Anton Danilov
  • 5,082
  • 2
  • 13
  • 23
  • Important detail: The source address is selected as if a **local** socket wants to send a packet. That means that you can't e.g. influence it with routing policy rules matching the incoming interface, as the routing decision doesn't take the origin of the packet into account. – cg909 Mar 19 '22 at 22:40
  • The masquerade target makes **additional** routing decision with respect the policy routing decision, that have been done before at input path (see the netfilter packet flow diagram). So you can change the routing decision logic with PBR for masquared packet in general way. – Anton Danilov Mar 20 '22 at 07:40
  • yeah, additional routing decisions work. I tested a few cases and e.g. blackhole routes take effect, but preferred source addresses set with PBR don't. – cg909 Mar 20 '22 at 16:23
  • 1
    Seems like the masquerade target selects addresses from assigned on the interface only, without respect the source address route attribute. – Anton Danilov Mar 20 '22 at 20:33
2

The IP won't be chosen at all. Packets will come out from the first IP of the octet. If you want to have control over this you may handle it with iptables SNAT.

For instance, if you want to send mails and surf the web using one IP and anything else with the other, do:

iptables -t nat -A POSTROUTING -o eno1 -m tcp --dport 80 -j SNAT --to 10.136.122.98
iptables -t nat -A POSTROUTING -o eno1 -m tcp --dport 443 -j SNAT --to 10.136.122.98
iptables -t nat -A POSTROUTING -o eno1 -m tcp --dport 587 -j SNAT --to 10.136.122.98
iptables -t nat -A POSTROUTING -o eno1 -m tcp --dport 465 -j SNAT --to 10.136.122.98
iptables -t nat -A POSTROUTING -o eno1 -m tcp --dport 25 -j SNAT --to 10.136.122.98

All the rest will come out from 10.136.122.97 through the MASQUERADE target.

My explaination is quite a duplicate anyway: IPTables and SNAT for just two ports

Marco
  • 1,709
  • 3
  • 17
  • 31