topic Re: IP Tables Question in Operating System - Linux

IP Tables Question

Admin32 — Fri, 10 Jan 2003 12:55:41 GMT

Hi Everyone,

I've been trying to test a new setup which is slightly tricky and I wanted to find out if anyone knows if it will work, or has already tried it:

Network 1<--->Gateway<--->Network 2--NATrouter>---->Internet

Explaination:

We have a router which performs NAT overload (Dynamic Nat with port translation), this router connected network 2 to the internet, so all hosts in network 2 (including gateway) can access the internet.

The gateway server though is also connected to another network, thats Network 1.
By configuring the Gateway server to perform Dynamic Nat with Port translation, will hosts on network 1 be able to access the internet ?

Logically, I would say yes, but I am not 100% sure if a problem arises with the packets originating from network 1, since they will be nat'ed twice (once through gateway server, and once through the router).

Any ideas ?

Cheers,

Re: IP Tables Question

Jochen Heuer — Fri, 10 Jan 2003 13:03:44 GMT

Hi,

although I have not tested it I don't think this should be a problem (famous last words) ...

Jochen

Re: IP Tables Question

Kodjo Agbenu — Sun, 12 Jan 2003 22:04:15 GMT

hi,

For me, it should work. Seen from the NATrouter, the gateway is considered as a normal host.

Good luck.

Kodjo

Re: IP Tables Question

Benny Chandra — Wed, 15 Jan 2003 04:04:55 GMT

For outgoing packet, I'm sure it will be OK. The NATrouter will see host in network 1 as Gateway.

But for the reply packet, I'm not so sure whether a simple NAT rule in Gateway or NATrouter will work, although I don't know the exact configuration.

Re: IP Tables Question

Trever Furnish — Wed, 15 Jan 2003 13:49:28 GMT

Of course it will work.

For simplicity's sake, let's assume that by "Network 1" and "Network 2", you're refering to segments with only one subnet on each of them.

NATrouter:
- needs a route added to its routing table that says "Network 1" is on Gateway.

Gateway:
- needs a default route pointing to NATrouter.

Network 1 clients:
- default gateway is Gateway

Network 2 clients:
- default gateway is NATrouter

The packets going through Gateway should NOT be NAT'd by Gateway - why would you do that? It should just forward the packets on (ie route them), not translate them.

If for some reason (that I can't even imagine), you do want to do NAT for Network 1 on Gateway instead of doing it on NATrouter, you can do that but the clients on Network 2 will have no way of initiating contact with the clients on Network 1. The clients on Network 1 *will* be able to initiate contact with the clients on Network 2.

Since you control both subnets, technically you *could* make nat work on both boxes for both subnets, but again, why would you do that?

Only run NAT on your edge routers - never NAT internal traffic, it's just wasteful.