How packets will travel in my network configuration?

Posted on 2005-05-12
Last Modified: 2010-03-17
       Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
       My configuration is




The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Then i add MASQURADE Rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
Its happening because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
        Does packet always travels without SNAT at Router2? What if same configuration taken as say real ips then Routers attached to same network will does SNAT from either side or not?
Question by:cranium2003
    LVL 5

    Expert Comment

    The problem is more likely in routing , not in firewalling .
    1) Asumming there are no other connections you don't need any MASQ , SNAT or DNAT rules . Just Router1 have to know the route to via eth1 and Router2 have to know the route to via eth0 and all the  packets will go correctly.
    2) If the link between Router1 and Router2 is trough another public addressed networks , I advise you to use SNAT target with source and destination matches , but you still need static routes to your private networks .

    Best regards !

    Author Comment

            I have alredy given my static route network setup and as seen there is no public network. I think you have not read my question that i have only 4 computers with 3 networks in it. I want to use SNAT on both Router1 and Router2 for request and reply packets how to do that?
    LVL 5

    Accepted Solution

    OK , your question seems to be rather theoretical .
    If you don't use NAT and you have all static routes , it's allright as you probably know.
    When you send a packet to HostB from HostA , the header will be always with src/dst addresses and no mather in wich machine you will run tcpdump .

    If you set up NAT on Router2 for network , the request from HostA will go with src address and dst address trough the all path and will arrive to HostB . After that HostB will sent reply with src and dst , but when it is matshed by POSTROUTING and NAT-ed , HostA will receive reply from src .
    But HostA don't want this replay , it expects reply from , ain't it ?

    Sure I don't understant what you want to do with this NAT ....

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now