[TriLUG] IPTables - disable NAT for a specific source/destination
Brian Henning via TriLUG
trilug at trilug.org
Wed Jun 6 11:21:06 EDT 2018
> In the bottom diagram, I want Container 3 (192.168.100.13) to simply get
> routed to Server 3 (172.16.100.23) such that a packet dump shows the 192.168.100.13 source IP (no NAT).
I now understand what you want.
Server 3 will need to have its own knowledge that the 192.168.100.0 network is reached by way of 172.16.100.10, otherwise it will try to respond by way of its default gateway setting. That is to say, Server 3's routing table will need to include an entry that says 172.16.100.10 is the gateway to 192.168.100.0 (it can be as specific as 192.168.100.13 if you need it to be).
Container Gateway will need to know not to mangle packets from 192.168.100.13 destined for 172.16.100.22 (because presumably you don't want to break 192.168.100.13's ability to reach elsewhere). This (I think) would be handled by modifying the POSTROUTING chain on the nat table to send the desired packets to ACCEPT instead of MASQUERADE.
$ iptables -t nat -A POSTROUTING -s 192.168.100.13 -d 172.16.100.10 -j ACCEPT
$ iptables -t nat -A POSTROUTING -o <outside interface> -j MASQUERADE
The key being the specific non-NATed rule preceding the default NAT rule.
You may need to modify those to put the rules in the correct place in an existing chain.
-B
More information about the TriLUG
mailing list