General discussion

Locked

configure NAT on linux Routers in network

By cranium2003 ·
hello,
I set a 4 computer LAN with configuration as
HostA
eth0=> 192.168.1.100

Router1
eth0=>10.1.1.1
eth1=>192.168.1.1

Router2
eth0=>10.1.1.100
eth1=>172.16.1.1

HostB
eth0=>172.16.1.100

I have already "echo 1 > /proc/sys/net/ipv4/ip_forward" performed on both machines.
From HostA(192.168.1.100) I am pinging HostB (172.16.1.100).
What i want Among Set 3 Networks whenever packet generated for HostB(172.16.1.100) At HostA(192.168.1.100) Router1 has to SNAT for Outgoing Packet from 192.168.1.100 to 10.1.1.1
Similarly, whenever packet generated for HostA(192.168.1.100) At HostB(172.16.1.100), Router2 has to SNAT for Outgoing Packet from 172.16.1.100 to 10.1.1.100
What should i do to achieve this? Because in my current configuartion only Ping originating Host's Router able to SNAT but nor for reply packet from otherside by other sides's Router. why?


My current configuartion is
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jmgarvin In reply to configure NAT on linux Ro ...

Can you post ALL of your IPtables?

I'd drop the stateful stuff for now, just so we can get a handle on what is going on with your NAT. Do you allow ICMP/UDP packets through?

Collapse -

by cranium2003 In reply to

Poster rated this answer.

Collapse -

by cranium2003 In reply to configure NAT on linux Ro ...

I did iptables-save on R2 and i found itsoutput is same as above for R1 and i have not touched to iptables for hostA and HostB they are default on my all RH9 linux systems
My iptables-save on R1 is
# Generated by iptables-save v1.2.7a on Wed May 11 09:50:52 2005
*nat
REROUTING ACCEPT [191:37199]
OSTROUTING ACCEPT [0:0]
UTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Wed May 11 09:50:52 2005
# Generated by iptables-save v1.2.7a on Wed May 11 09:50:52 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
UTPUT ACCEPT [12124:5076103]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT --reject-with icmp-

Collapse -

by K12Linux In reply to configure NAT on linux Ro ...

I think the problems rests in what you are trying to do. You are trying to SNAT at both routers on the 10.1.1.x addresses, correct? Picture a packet going from B to A and the reply:

Originating ping packet from B:
Src: 172.16.1.100 Dst: 192.168.1.100

After passing through Router2:
Src: 10.1.1.100 Dst: 192.168.1.100

After passing through Router1:
Src: 10.1.1.100 Dst: 192.168.1.100

Packet reaches destination with same IP info....
Reply sent back as:
Src: 192.168.1.100 Dst: 10.1.1.100

After passing through Router1:
Src: 10.1.1.1 Dst: 10.1.1.100

Upon reaching Router2, router2 has to look up the packet in it's NAT table. BUT.. it never sent out an ICMP packet to 10.1.1.1 with an SNAT source of 10.1.1.100. Router2 fails to translate 10.1.1.100 back to the original 172.16.1.100 address... and packet never makes it back to HostB.

So... basically don't try to NAT in both directions. The question now in my mind becomes... what are you trying to accomplish? Do you just want limit all traffic on the 10.1.1.0 subnet to exclusively? Why? Routing shouldn't be an issue if everything is configured correctly.

If you can share your reasons for doing the NAT in the first place I'll try to help more. (Rate this post so I know when you have replied.)

Collapse -

by K12Linux In reply to

Please forgive me but I'm still not certain I understand your final goal. You can find the router IP address your packet will pass through by using traceroute. You could also set up SNAT on both routers but going in the same direction... both will be NATed in one direction but not the other.

If you are having problems getting the packets to route accross your network then one solution would be to add static routes on the two routers specifying where to send packets. This doesn't seem to be the end goal since you said a ping does make it all the way accross but just never comes back.

If the problem is that you don't have access to modify the routes on the default router on one of the end subnets, then that is a different issue. Then an SNAT at one end makes sense. Another options (one I have used) is to use both SNAT and DNAT on one of the routers. Then all traffic two/from at least one side of the connection would appear to be going to/from only the router's IP.

I'm sorry if this isn't helpful, but I just don't grasp the final goal you are aiming for. If you can get me to understand I'd be happy to try to help.

Collapse -

by cranium2003 In reply to configure NAT on linux Ro ...

hello,
I want to get neighbour routers source ip from which i am receiving packet. IF SNAT allowed then from SNAT at each router i thought i will get neighbour routers IP, but now how can i get information that neighbour router ip from which i got packet and also can it be possible to know to which neighbour router packet will be send?

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums