SNAT – making IPs local

SNAT (Sender Network Address Translation) under IPtables on Linux. It's used where you need to change the IP address that the packet is seemingly coming from. Great for when you need to make traffic look local.

Picture a scenario where a company has two separate connections to the Internet (possibly via different suppliers):

A network using SNAT

Web traffic can happily arrive and exit via Router A as this is the default gateway for the Web Server. However rather than having two web servers with the same content, the intention is to have web traffic from Router B forwarded to the Web Server. The issue becomes the source IP address. The Web Server will happily accept the packets of data, but will then pass replies out via it's default gateway, namely Router A. Responses will never succeed and the connection will seemingly fail.

Cue SNAT!

It's possible to use SNAT to alter the source IP of the packet - in this case making the packet seemingly come from the Forwarder box. The Web Server will subsequently deem the packet as local and pass it back via it's local routes rather than it's default gateway. The Forwarder will then accept the packet and route it to the original IP that made the request via Router B.

In the above example, the forwarding and SNAT iptables rules for the Forwarder box would be as follows:

$ iptables -t nat -A PREROUTING -p tcp -d 9.8.7.7 --dport 80 -j DNAT --to-destination 10.0.0.1
$ iptables -t nat -A POSTROUTING -p tcp -o eth1 -j SNAT --to-source 10.0.0.2

Notice that the second ethernet card (eth1) was specified in the SNAT rule, and not an IP address, to ensure that ALL packets exiting this card are affected; this is because all traffic in the above example exiting eth1 is considered local traffic. However, it is possible to restrict exactly which IPs the rule should apply to if necessary.