[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 414
  • Last Modified:

How packets will travel in my network configuration?

Hello,
       Still not able to acheive what i want. Either my network configuration is wrong or I am not able to write iptables rule.
       My configuration is
 HostA
eth0=> 192.168.1.100

Router1
eth0=>10.1.1.1
eth1=>192.168.1.1

Router2
eth0=>10.1.1.100
eth1=>172.16.1.1

HostB
eth0=>172.16.1.100

The problem that i am facing is that i want to send any packet(tcp,udp,icmp) from HostA to HostB which must go through Router1 and Router2. For that i added ip forwarding rule

iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Then i add MASQURADE Rule

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
But only Request packet gets its source IP changed not Reply packet does SNAT on Router2 when a Ping packet is sent from HostA to HostB.
Its happening because ip_conntrack but its on Both Router1 and Router2. Then how to hack ip_conntack on Router2 to force it do SNAT?
        Does packet always travels without SNAT at Router2? What if same configuration taken as say real ips then Routers attached to same network will does SNAT from either side or not?
0
cranium2003
Asked:
cranium2003
  • 2
1 Solution
 
brabardCommented:
The problem is more likely in routing , not in firewalling .
1) Asumming there are no other connections you don't need any MASQ , SNAT or DNAT rules . Just Router1 have to know the route to 172.16.1.0 via eth1 and Router2 have to know the route to 192.168.1.0 via eth0 and all the  packets will go correctly.
2) If the link between Router1 and Router2 is trough another public addressed networks , I advise you to use SNAT target with source and destination matches , but you still need static routes to your private networks .

Best regards !
Brabard
0
 
cranium2003Author Commented:
hello,
        I have alredy given my static route network setup and as seen there is no public network. I think you have not read my question that i have only 4 computers with 3 networks in it. I want to use SNAT on both Router1 and Router2 for request and reply packets how to do that?
0
 
brabardCommented:
OK , your question seems to be rather theoretical .
If you don't use NAT and you have all static routes , it's allright as you probably know.
When you send a packet to HostB from HostA , the header will be always with src/dst addresses 192.168.1.100 and 172.16.1.100 no mather in wich machine you will run tcpdump .

If you set up NAT on Router2 for 172.16.1.0 network , the request from HostA will go with src address 192.168.1.100 and dst address 172.16.1.100 trough the all path and will arrive to HostB . After that HostB will sent reply with src 172.16.1.100 and dst 192.168.1.100 , but when it is matshed by POSTROUTING and NAT-ed , HostA will receive reply from src 10.1.1.100 .
But HostA don't want this replay , it expects reply from 172.16.1.100 , ain't it ?

Sure I don't understant what you want to do with this NAT ....
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now