You are not logged in.

#1 2017-05-13 23:35:53

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

iptables SNAT - replace source IP

Hi all,

I have following network configuration:

2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 01:12:23:34:45:5f brd ff:ff:ff:ff:ff:ff
    inet xxx.xxx.xxx.xxx/24 brd xxx.xxx.xxx.xxx scope global ens4
       valid_lft forever preferred_lft forever
    inet 192.168.0.2/24 scope global ens4:1
       valid_lft forever preferred_lft forever
    inet 192.168.0.3/24 scope global secondary ens4:2
       valid_lft forever preferred_lft forever

ens4:1 and ens4:2 are both aliases and residing on the same network.

I would like to ensure that all traffic leaving my above host will always be seen as if it was coming from 192.168.0.3; also I would like to have all traffic from 192.168.0.2 destined to 192.168.0.3 to show as if the source was 192.168.0.3. I think I know how to replace 192.168.0.2 when it leaves my host (I can test it with tcpdump). But when I'm testing traffic from 192.168.0.2 to 192.168.0.3 tcpdump shows nothing so I don't know how to ensure my iptables rule worked.

The reason behind this is that I am running postgres-xl on this host and there can be traffic from this host that would be destined to the host itself. Also due to the fact that postgres-xl does not offer authentication mechanism the only thing I can do is only to accept traffic from certain IP addresses (my VPS provider says they guarantee nobody can use my IP addresses)

This question is somewhat continuation of this thread: https://bbs.archlinux.org/viewtopic.php?id=225930

Last edited by Gregosky (2017-05-13 23:37:25)

Offline

#2 2017-05-14 23:04:31

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: iptables SNAT - replace source IP

Traffic from 192.168.0.2 to 192.168.0.3 on the same host will go via the lo interface (even though the addresses are on the ens4 interface).  So you should be able to tell postgres-xl to only listen on the lo interface then only the local machine can connect to it (alternatively, just drop/reject traffic to postgres-xl on the ens4 interface -- I'm assuming it uses the standard postgres port of 5432?)

Offline

#3 2017-05-17 10:58:48

Gregosky
Member
From: UK
Registered: 2013-07-26
Posts: 173

Re: iptables SNAT - replace source IP

Thanks @fukawi2, I'm a bit confused when I look into my log:

FATAL:  no pg_hba.conf entry for host "192.168.0.2", user "postgres", database "postgres", SSL off

Above was logged when coordinator made an attempt to communicate with data node (both on the same host). It's trying to knock to 192.168.0.3 but it does it from 192.168.0.2 (not 192.168.0.3).

I'll add localhost to my pg_hba, from what you saying I gather that's what I should be doing.

Many thanks,
Greg

Offline

Board footer

Powered by FluxBB