Similar questions that don't answer the problem:
https://stackoverflow.com/questions/16038852/iptables-to-modify-source-ip-nothing-in-postrouting-chain-log
In my Linux MASQUERADE is not replacing the Source IP
My setup is as follows:
- On all Nodes (sysctl net.ipv4.ip_forward: 1)
- On all Nodes (Iptables with ACCEPT policies on all chains)
- PC3 is a Linux server with 2 dockers containers, being them, PC1 and PC2.
IMPORTANT: I've already tested creating virtual machines, and the problem remains :(
PC1:
eth0 (02:42:c0:a8:00:65):
IPv4: 192.168.0.101
Gateway: 192.168.0.102
Route Rules:
ip route add default via 192.168.0.102 dev eth0
ip -4 -br addr; ip route:
lo UNKNOWN 127.0.0.1/8
eth0@if70 UP 192.168.0.101/16
default via 192.168.0.102 dev eth0
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.0.10
PC2:
eht0: (02:42:c0:a8:00:66):
IPv4: 192.168.0.102
Gateway: 192.168.0.1
Route Rules:
ip route add default via 192.168.0.1 dev eth0
ip -4 -br addr; ip route:
lo UNKNOWN 127.0.0.1/8
eth0@if72 UP 192.168.0.102/16
default via 192.168.0.1 dev eth0
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.0.102
PC3:
br-630e93c20055 (02:42:4c:47:1f:4c):
IPv4: 192.168.0.1
enp0s10 (02:00:17:02:3c:eb):
IPv4: 10.0.0.192
Gateway: 10.0.0.1
PS: This gateway (10.0.0.1) is the router
ip -4 -br addr; ip route:
lo UNKNOWN 127.0.0.1/8
enp0s10 UP 10.0.0.192/24
docker0 UP 172.17.0.1/16
br-630e93c20055 UP 192.168.0.1/16
default via 10.0.0.1 dev enp0s10 proto dhcp src 10.0.0.192 metric 100
10.0.0.0/24 dev enp0s10 proto kernel scope link src 10.0.0.192 metric 100
169.254.0.0/16 dev enp0s10 proto dhcp scope link src 10.0.0.192 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1
192.168.0.0/16 dev br-630e93c20055 proto kernel scope link src 192.168.0.1
192.168.0.101 via 10.0.0.1 dev enp0s10 src 10.0.0.192
Iptables Rules:
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.0.0/16 anywhere
iptables-save -c:
https://pastebin.com/BPRBKymM
PS:
I already tried the following:
iptables -t nat -A POSTROUTING -s 192.168.0.101/32 -j SNAT --to-source 10.0.0.192
This is Capture PCAP from PC2
https://app.packetsafari.com/analyze/l/dlKtVooBW6-oT3TQ8m8c
Interface: eth0
This is Capture PCAP from PC3
https://app.packetsafari.com/analyze/l/fFKwVooBW6-oT3TQg287
Interface: All Interfaces
What I want the source IP to be 10.0.0.192 in Wireshark, and the PC1 machine to access the internet.
My idea is the following (instead of the default):
- PC1 (192.168.0.101) sends a packet (ping) to 1.1.1.1
- PC2 (192.168.0.102) redirects this packet to 192.168.0.1 (FORWARD) without changing the origin to 192.168.0.102, that is, the origin remains 192.168.0.101
- PC3 (192.168.0.1/br-630e93c20055) receives this packet and does the SNAT (or MASQUERADE) setting the source IP to 10.0.0.192/enp0s10 and forwards the packet to the router.
- Router (10.0.0.1/LAN) does SNAT and forwards packet to IP 1.1.1.1
- Receives a response, and forwards it to PC3: 10.0.0.192
- PC3 will check internal NAT table and forward to 192.168.0.101
- PC1 will receive the package and everyone will be happy.
Unsuccessful attempts:
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.eth0.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv4.conf.eth0.accept_source_route = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
I want this routing problem presented via step-by-step in the description to be corrected, I believe it is not a Linux defect but my lack of experience with it.
I apologize for anything, but I'm a novice user.
