Conel SNAT is a solution to access devices, which are on the network, where you deployed your router, but you are not able to change their IP setting especially default gateway. When default gateway does not point to the router IP address, you are not able to access these devices remotely as they do not have a means to replying to the IP address from different IP subnet. SNAT solve the problem to change the source IP address in the packet to be IP address of the LAN IP address of the Conel router.
You want to do Source NAT (SNAT); change the source address of connections to something different. This is done in the POSTROUTING
chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the -o
(outgoing interface) option can be used.
Source NAT is specified using -j SNAT
, and the --to-source
option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).
## Change source addresses to 192.168.1.1
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1
#
## Change source addresses to 192.168.1.1, 192.168.1.2 or 192.168.1.3
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.1-192.168.1.3
#
## Change source addresses to 192.168.1.1, ports 1-1023
iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 192.168.1.1:1-1023
Masquerading
There is a specialised case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialup (for static IP addresses, use SNAT above).
This is done via configuration setting in the web interface for 3G interface:
Configuration -> NAT -> Masquerade outgoing packets (check)
In case you are using internal IP addressing for your SIM cards this is not desired functionality as routing is provided by your service provider. Uncheck this option as this is a default setting. Conel LR77 models uses interface usb0
, please double check via web interface
Status -> Network
or via linux shell command ifconfig
.
You don't need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address.
## Masquerade everything out ppp0.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE