[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

How packets will travel in my network configuration?

       Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
       My configuration is




The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Then i add MASQURADE Rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
Its happening because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
        Does packet always travels without SNAT at Router2? What if same configuration taken as say real ips then Routers attached to same network will does SNAT from either side or not?
  • 2
1 Solution
The problem is more likely in routing , not in firewalling .
1) Asumming there are no other connections you don't need any MASQ , SNAT or DNAT rules . Just Router1 have to know the route to via eth1 and Router2 have to know the route to via eth0 and all the  packets will go correctly.
2) If the link between Router1 and Router2 is trough another public addressed networks , I advise you to use SNAT target with source and destination matches , but you still need static routes to your private networks .

Best regards !
cranium2003Author Commented:
        I have alredy given my static route network setup and as seen there is no public network. I think you have not read my question that i have only 4 computers with 3 networks in it. I want to use SNAT on both Router1 and Router2 for request and reply packets how to do that?
OK , your question seems to be rather theoretical .
If you don't use NAT and you have all static routes , it's allright as you probably know.
When you send a packet to HostB from HostA , the header will be always with src/dst addresses and no mather in wich machine you will run tcpdump .

If you set up NAT on Router2 for network , the request from HostA will go with src address and dst address trough the all path and will arrive to HostB . After that HostB will sent reply with src and dst , but when it is matshed by POSTROUTING and NAT-ed , HostA will receive reply from src .
But HostA don't want this replay , it expects reply from , ain't it ?

Sure I don't understant what you want to do with this NAT ....

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now