Next Previous Contents

9. Source NAT and Routing

If you are doing SNAT, you will want to make sure that every machine the SNAT'ed packets goes to will send replies back to the NAT box. For example, if you are mapping some outgoing packets onto the source address 1.2.3.4, then the outside router must know that it is to send reply packets (which will have destination 1.2.3.4) back to this box. This can be done in the following ways:

  1. If you are doing SNAT onto the box's own address (for which routing and everything already works), you don't need to do anything.
  2. If you are doing SNAT onto an unused address on the local LAN (for example, you're mapping onto 1.2.3.99, a free IP on your 1.2.3.0/24 network), your NAT box will need to respond to ARP requests for that address as well as its own: the easiest way to do this is create an IP alias, e.g.:
    # ip address add 1.2.3.99 dev eth0
    
  3. If you are doing SNAT onto a completely different address, you will have to ensure that the machines the SNAT packets will hit will route this address back to the NAT box. This is already achieved if the NAT box is their default gateway, otherwise you will need to advertise a route (if running a routing protocol) or manually add routes to each machine involved.


Next Previous Contents