Iptables – DNAT on the POSTROUTING chain

firewalliptables

What happens if I try to do a DNAT in the POSTROUTING chain of the NAT table in iptables?

Suppose I change the destination IP of the packet in the POSTROUTING chain to an address that should get routed via a different interface. What would happen to the packet?

Would the host be able to route the packet to the correct interface even after all the routing decisions have been made.
Or would the packet still be sent via the interface which was decided in the routing decisions before.

Best Answer

Both options are incorrect. The right answer is :

An error will occur.

Because DNAT can only be used in PREROUTING or OUTPUT chains.

Related Solutions

Iptables and SNAT

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

Iptables – Postrouting rule in NAT table

No. There is only one target (-j) per rule. The -j SNAT is exclusive, you can't provide two targets for a rule. If you need to accept the packet, the 'ACCEPT' target should be used in the 'FORWARD' chain of the 'filter' table.

Packets are only dropped if there is a rule to drop them, or if the default policy of the 'FORWARD' chain is 'DROP'. In both case, these counters are updated.

More likely, routing is not enabled or your routing tables are not complete.

To enable routing:

sysctl net.ipv4.ip_forward=1

Best Answer

Related Solutions

Iptables and SNAT

Iptables – Postrouting rule in NAT table

Related Topic