Join Log in
Score:1
kyrlon avatar Server

NAT/IPTables functionality concerns when routing across several interfaces using IP forwarding

za flag
kyrlon

As shown in the diagram below, I currently have three systems networked together:


                             Interface eno2
                             IP Addresses Assigned:
                             192.10.10.12───────────┐
                                                    │
                                                    │
                                                    │
                                                    │                       ┌─────────────────────────┐
                        ┌─────────────────────────┐ │                       │                         │
                        │                         │ │                       │                         │
                        │                         │ │                       │  Computer C             │
                        │  Computer A             ├─┤   ETH INTERFACE     ┌─┤                         │
                        │                         │ │◄───────────────────►│ │                         │
                        │                         ├─┘                     ├─┤                         │
                        │                         │                       │ │                         │
                        │                         │                       │ └─────────────────────────┘
Interface enp134s0f1    └───────────┬──┬──────────┘                       │
IP Addresses Assigned               ├─▲┘                                  │
192.168.200.12                      │ │                                   │
192.168.200.11                      │ │                                   │
                                    │ │                                   │                  Interface eno1
                 ───────────────────┘ │                                   └───────────────── IP Addresses Assigned:
                                      │                                                      192.10.10.13
                                      │                                                      192.168.200.13
                                      │                                                      5.5.5.1
                                      │
                                      │ETH
    Interface enp134s0f1              │INTERFACE
    IP Addresses Assigned             │
    192.168.200.10                    │
    5.5.5.3 ────────────────────────┐ │
                                    ├─▼─┐
                         ┌──────────┴───┴──────────┐
                         │                         │
                         │                         │
                         │  Computer B             │
                         │                         │
                         │                         │
                         │                         │
                         │                         │
                         └─────────────────────────┘

The objective is to have bidirectional communication between Computer C and Computer B via simple pings and ssh sessions.

For Computer B, I've added the following addresses and routes to the system:

ip route add 192.168.200.0/24 via 192.168.200.12
ip route add 5.5.5.1/32 via 192.168.200.12

Interface enp134s0f1 IP Address assigned:

  • 192.168.200.12
  • 5.5.5.3

For Computer A, the following addresses and routes were added along with modifications to the NAT table:

ip route add 192.168.200.13/32 via 192.10.10.12
ip route add 5.5.5.1/32 via 192.10.10.12

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eno2 -j SNAT --to-source 192.10.10.12

Interface eno2 IP Address assigned:

  • 192.10.10.12

Interface enp134s0f1 IP Address assigned:

  • 192.168.200.11
  • 192.168.200.12

For Computer C, I've added the following addresses and routes to the system:

ip addr add 5.5.5.1/24 dev eno1
ip addr add 192.168.200.13/24 dev eno1
ip route add 192.168.200.0/24 via 192.10.10.13 dev eno1
ip route add 5.5.5.0/24 via 192.10.10.13 dev eno1

Interface eno1 IP Address assigned:

  • 192.10.10.13
  • 192.168.200.13
  • 5.5.5.1

I can currently communicate in the following direction from Computer B to Computer C with this network configuration:

+------------+    PING or SSH    +------------+    PING or SSH    +------------+
| Computer B |   ------------>   | Computer A |   ------------>   | Computer C |    ✓
+------------+                   +------------+                   +------------+

However, I'm having no luck with ping or ssh sessions in the opposite direction.

+------------+    PING or SSH    +------------+    PING or SSH    +------------+
| Computer B |   <------------   | Computer A |   <------------   | Computer C |    X
+------------+                   +------------+                   +------------+

Each computer are running different flavors of Linux as well:

  • Computer A : Ubuntu 16.04 LTS
  • Computer B: CentOS7
  • Computer C: Ubuntu 20.04 LTS

I am not sure if my modifications to the NAT rules are set up correctly or not.

40
0 + 0
Ron Maupin avatar
us flag
Ron Maupin
Why not just use routing? Using the NAPT version of Nat will prevent what you want unless you do port forwarding. It adds a lot of complexity. Remember that NAT is not a substitute for routing.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.