Forcing traffic to come from a specific IP

Sometimes it is desirable to force the use of a specific IP address by certain types of traffic, or services which may not allow configuration of such settings. Fortunately, iptables can do this easily. A couple of examples:

Make all outgoing traffic on eth0 come from 127.23.0.4:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 127.23.0.4

Or, for a more specific example, make all outgoing SMTP connections come from 127.23.0.4:

iptables -t nat -A POSTROUTING -p tcp -s ! 127.0.0.1 --dport 25 -j SNAT --to-source 127.23.0.4

It's just that simple! Here is an example of what this looks like in practice:
We'll start with an empty NAT ruleset:

[root@www root]# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 537K packets, 87M bytes)
 pkts bytes target     prot opt in     out     source               destination 
Chain POSTROUTING (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination 
Chain OUTPUT (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination

Connecting to a mailserver we see:
[root@www root]# telnet mail.rackspace.com 25
Trying 64.39.2.181...
Connected to mail.rackspace.com (64.39.2.181).
Escape character is '^]'.
220 mail.rackspace.com ESMTP Sendmail 8.13.1/8.13.1; Fri, 22 Sep 2006 16:10:06 -0500
helo a
250 mail.rackspace.com Hello admin.wackyfunster.com [66.216.68.107], pleased to meet you

So now:

[root@www root]# iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 66.216.86.216
[root@www root]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 537K packets, 87M bytes)
 pkts bytes target     prot opt in     out     source               destination 
Chain POSTROUTING (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    any     anywhere             anywhere           tcp dpt:smtp to:66.216.86.216
Chain OUTPUT (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@www root]# telnet mail.rackspace.com 25
Trying 64.39.2.181...
Connected to mail.rackspace.com (64.39.2.181).
Escape character is '^]'.
220 mail.rackspace.com ESMTP Sendmail 8.13.1/8.13.1; Fri, 22 Sep 2006 16:11:12 -0500
helo a
250 mail.rackspace.com Hello partytime.wackyfunster.com [66.216.86.216], pleased to meet you

Or:

[root@www root]# iptables -t nat -D POSTROUTING 1
[root@www root]# iptables -t nat -A POSTROUTING -p tcp --dport 25 -j SNAT --to-source 66.216.86.219
[root@www root]# iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 537K packets, 87M bytes)
 pkts bytes target     prot opt in     out     source               destination 
Chain POSTROUTING (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  any    any     anywhere             anywhere           tcp dpt:smtp to:66.216.86.219
Chain OUTPUT (policy ACCEPT 158K packets, 20M bytes)
 pkts bytes target     prot opt in     out     source               destination 
[root@www root]# telnet mail.rackspace.com 25
Trying 64.39.2.181...
Connected to mail.rackspace.com (64.39.2.181).
Escape character is '^]'.
220 mail.rackspace.com ESMTP Sendmail 8.13.1/8.13.1; Fri, 22 Sep 2006 16:12:27 -0500
helo a
250 mail.rackspace.com Hello transcendlinux.com [66.216.86.219], pleased to meet you

And there you have it!!

Submitted by jkelly on Fri, 2006-09-22 16:17. categories [ | ] login or register to post comments