Le 30/06/2017 à 00:38, Igor Cicimov a écrit :
On 29 Jun 2017 6:32 pm, "Lucio Crusca" <lu...@sulweb.org> wrote:
Il 27/06/2017 23:35, Pascal Hambourg ha scritto:
Le 27/06/2017 à 13:29, Lucio Crusca a écrit :
-A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT
--to-source 10.7.33.100
If this rule is required, then your routing setup is wrong.
Thank you very much, that was the problem. My VMs were using the host
system as gateway instead of the router VM.
Ok, not sure though how does that change anything. As you said the email vm
was receiving traffic with the ip of the router vm as source and since they
are both on the same lan and connected to the same bridge I dont see how
the default gateway can make any difference? The return traffic was already
going through the router vm hence the need of the SNAT rule on it.
Stateful NAT requires symmetric routing, i.e. reply packets go through
the router that did the NAT operations on original packets and keeps the
state for these NAT operations.
With the host as gateway and without the SNAT rule, routing is asymmetric :
client -> router VM (DNAT) -> server VM
server VM -> host -> client
Reply trafic cannot be un-DNATed and communication fails.
The SNAT rule is a way to force reply traffic through the router VM,
making the routing symmetric :
client -> router VM (DNAT+SNAT) -> server VM
server VM -> router VM (un-DNAT+un-SNAT) -> client
Making the router VM the default gateway for the server VM also makes
routing symmetric without the need of SNAT :
client -> router VM (DNAT) -> server VM
server VM -> router VM (un-DNAT) -> client
