On Fri, Jun 30, 2017 at 3:50 PM, Pascal Hambourg <pas...@plouf.fr.eu.org> wrote:
> Le 30/06/2017 à 00:38, Igor Cicimov a écrit : > >> On 29 Jun 2017 6:32 pm, "Lucio Crusca" <lu...@sulweb.org> wrote: >> >>> >>> Il 27/06/2017 23:35, Pascal Hambourg ha scritto: >>> >>> Le 27/06/2017 à 13:29, Lucio Crusca a écrit : >>>> >>>> -A POSTROUTING -d 10.7.33.109/32 -p tcp -m tcp --dport 25 -j SNAT >>>>> --to-source 10.7.33.100 >>>>> >>>>> If this rule is required, then your routing setup is wrong. >>>> >>> >>> Thank you very much, that was the problem. My VMs were using the host >>> system as gateway instead of the router VM. >>> >> >> Ok, not sure though how does that change anything. As you said the email >> vm >> was receiving traffic with the ip of the router vm as source and since >> they >> are both on the same lan and connected to the same bridge I dont see how >> the default gateway can make any difference? The return traffic was >> already >> going through the router vm hence the need of the SNAT rule on it. >> > > Stateful NAT requires symmetric routing, i.e. reply packets go through the > router that did the NAT operations on original packets and keeps the state > for these NAT operations. > > With the host as gateway and without the SNAT rule, routing is asymmetric : > client -> router VM (DNAT) -> server VM > server VM -> host -> client > > Reply trafic cannot be un-DNATed and communication fails. > I completely agree with that and that's what I would expect to happen. However, as per OP's initial email (I cite): "*It works like a charm*, but there is one problem: my mail server receives all the connections from the router, which has its own private IP address (10.7.33.100), so the mail server can't enforce SPF policies nor DNS RBL rules on incoming mail connections." his setup was working "like a charm" and the only problem was that the source IP the email server was seeing was the one from the router vm and not the client one, nothing about failing connections. As if there was maybe a routing rule on the host like: 10.7.33.0/24 dev virbr10 scope host src 10.7.33.100 Something does not add up ... The SNAT rule is a way to force reply traffic through the router VM, making > the routing symmetric : > client -> router VM (DNAT+SNAT) -> server VM > server VM -> router VM (un-DNAT+un-SNAT) -> client > > Making the router VM the default gateway for the server VM also makes > routing symmetric without the need of SNAT : > client -> router VM (DNAT) -> server VM > server VM -> router VM (un-DNAT) -> client > >
