I am looking for a way in iptables to match forwarded packets where the source address is in the same network as the destination address, without specifying the network.
Of course, when I specify the network, this is simple:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24
But let's say I want to do this for any class C network (and I don't want to specify all of them, obviously).
I looked at the rpfilter match, but according to the manpage:
This match can only be used in the PREROUTING chain of the raw or mangle table.
So that's of no use to me.
The u32 match looks promising, but is too complex, I don't understand it.
I tried a different approach: match packets that go out on the same interface as they came in, like so:
iptables -t nat -A POSTROUTING -i eth0 -o eth0
but that doesn't work either, since -i cannot be used in the POSTROUTING chain:
iptables v1.4.21: Can't use -i with POSTROUTING
One solution I have thought of is to use packet marking: mark packets coming on in eth0 and match the outgoing interface and the mark in the POSTROUTING chain, like so:
iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 0x01/0xff
iptables -t nat -A POSTROUTING -o eth -m mark --mark 0x01/0xff
This works in most cases, based on the assumption that you run only one network on a given interface, but it does not exactly what I want, since it works on interfaces and not networks.
So as yet the problem is unsolved. I'm not looking for a complete working solution, but for advice about a way to solve this that I have missed. Thanks!
-EDIT-
The reason I need this is as follows. I have multihomed linux host, let's call it alice. Alice has an interface eth0, and Bob and Charly are hosts on that network. Some ports on Alice are forwarded with iptables DNAT rules. Lets say I forward Alice's tcp port 456 to port 456 on Bob. I want this forward to work also for traffic coming from hosts on eth0. With only the DNAT rule in place, a packet sent by Charly to Alice port 456 is forwarded to Bob, bit its source address remains that of Charly. So, the return packet is sent by Bob to Charly directly, which makes the traffic flow non-symmetrical.
To fix this, I want to SNAT this traffic on Alice. So, if traffic leaves Alice, has a destination address in eth0, and a source address in the eth0 network (but not Alice's) then I need to SNAT it.
This is not hard to do if you specify the address ranges. But now I have several interfaces, and I would like to do this generically.
0 Answers