I have a host that sends packets to virtual machine say on 192.168.0.1/24 with either 192.168.0.11 or 192.168.0.12 as the destination IP. I'm trying to set up the virtual machine as a NAT. It routes the packets, changing the destination IP, depending on the original destination IP so I wasn't able to only use SNAT as the original IP was getting switched in PREROUTING. What I've been trying to use is the –set-mark flag to flag the packets with either 11 or 12 so the POSTROUTING rules will know what SNAT rule to use. Here are my rules:
iptables -t mangle -A PREROUTING --destination 192.168.0.11 -j MARK --set-mark 11
iptables -t nat -A PREROUTING -m mark --mark 11 -i eth0 -j DNAT --to 20.0.21.11
iptables -t nat -A POSTROUTING -m mark --mark 11 -o eth1 -j SNAT --to-source 20.0.1.1
and
iptables -t mangle -A PREROUTING --destination 192.168.0.12 -j MARK --set-mark 12
iptables -t nat -A PREROUTING -m mark --mark 12 -i eth0 -j DNAT --to 20.0.21.11
iptables -t nat -A POSTROUTING -m mark --mark 12 -o eth1 -j SNAT --to-source 20.0.1.2
My first two rules are being incremented if I watch iptables -t mangle/nat -nvL but the POSTROUTING rule never gets matched. Any ideas on why this would be?
I just thought of this while writing this. The first network is /24 subnet and I have then second network currently set up as a /8 subnet. Would this affect this in any way?
EDIT
To make things a little more clear.
This first step is the host sends either 192.168.0.11/24 or 192.168.0.12/24 from 192.168.0.1/24 to the virtual machine like so.
Destination IPs
HOST ================
=============== +--* 192.168.0.11 *--+ ======
* 192.168.0.1 *--- ================ ---* VM *
=============== +--* 192.168.0.12 *--+ ======
================
I then want the virtual machine to forward these packets with both of the destination IP changed to 20.0.21.11/8. Then have the source IP change to either 20.0.21.1/8 or 20.0.21.2/8 depending on what the original destination IPs were. Like so.
Source IPs w/ 20.0.21.11 as Destination IP
==============
====== +--* 20.0.21.1 *--+ ============
* VM *--- ============== ---* Test rig *
====== +--* 20.0.21.2 *--+ ============
==============
Also to be clear this is a NAT on a private network. There is no internet connection here. Just Host <--> VM <--> Test rig
EDIT 2
One more drawing to make it a little more clear.
Destination IPs Source IPs
HOST ============== =============== Test rig
============= +--*192.168.0.11*-+ | 20.0.21.1 *--+ ==============
*192.168.0.1*--- ============== +--* VM | +--* 20.0.21.11 *
============= +--*192.168.0.12*-+ | 20.0.21.2 *--+ ==============
============== ===============
Best Answer
Your rules look right, check if you have bridges setup, these can make packet's in/out interfaces to be messed up. You can also add -j LOG rules to watch what gets matched in your logs.