Réf. : Re: NAT through a router ?
R.DAVIDOVICH@cvitkovic-ac.fr
R.DAVIDOVICH@cvitkovic-ac.fr
Wed, 18 Jul 2001 18:50:57 +0200
Let's remake the scheme...
internet -------- x.x.x.x | router A | 192.168.220.254 -------------
192.168.220.0/24 (lan 1)
192.168.221.254 ------------- 192.168.221.0/24 (lan 2)
|
|
----- 192.168.221.1 | router B |
192.168.222.254 ---- 192.168.222.0/24 (lan3)
ok..for starting.. I apologize, because I didn't see the "192.168.221.1"
interface in router B :-(
now, if from lan 3 we can reach either lan 1 or 2, and the very opposite,
from lan 1 and 2 we can reach lan 3, the inside routing and gateways are
ok, and I guess we shouldn't touch them...
I guess that Simeon is right... maybe we should try to add a NAT rule in
router A from ext_ip to 192.168.222.0/24 with 192.168.221.1 as the gateway
and see what happens...
this is your rule...
> iptables -t nat -A POSTROUTING -o eth1 -s 192.168.220.x -j SNAT --to
200.1.1.x
maybe something like:
iptables -t nat -A POSTROUTING -o eth(the one with the 192.168.221.254
address) -s 192.168.222.x -j SNAT --to 200.1.1.x
should do...
Best regards
---------------------------------------------------
Raul Davidovich
Adm Réseaux et Systèmes
Cvitkovic & Associés Consultants
(33) 1 45 15 40 68
(33) 1 45 15 40 41 Fax
-------------------------------------------------------
http://www.caconcology.com
|--------+------------------------------->
| | Simeon Johnston |
| | <simeonuj@eetc.com> |
| | Envoyé par : |
| | netfilter-admin@lists|
| | .samba.org |
| | |
| | |
| | 18/07/2001 17:30 |
| | Veuillez répondre à |
| | simeonuj |
| | |
|--------+------------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
| |
| Pour : IPTables <netfilter@lists.samba.org> |
| cc : |
| Objet : Re: NAT through a router ? |
>---------------------------------------------------------------------------------------------------------------------------------------------|
.DAVIDOVICH@cvitkovic-ac.fr wrote:
> The problem is that you don't have any NAT at all for the network
> 192.168..222.0/24, so the computers inside it (including the router) just
> "don't know" how to reach internet, and for the outside world, they
"don't
> exist".
> what you should do is to add a third interface in the router A with a NAT
> to 192.168.222.0/24, with an address 192.168.222.1 (for example.. just to
> have it clear).. in the router B you set up as default gateway the router
> A, and in the rest of the computers inside the 192.168.222.0/24 network
set
> up the router B as the default gateway.
The whole thing about adding another interface doesn't make sense IMO. All
you should need is routing rules and NAT.
Internet
|
Router A (NAT) NEEDS a SEPERATE rule for every subnet.
| And, needs Router B setup as a the gateway to
192.168.222.x
| 192.168.220.0/24
| 192.168.221.0/24
|
|
Router B (no NAT) w/ Router A as the default GATEWAY <--------
192.168.222.0/24
So lets think this through.
192.168.222.1 sends a request for address xxx.xxx.xxx.xxx. Router B see's
this and routes it to Router A (because it's the default GW). Router A
sees the request from 192.168.222.1 and NAT's it out to xxx.xxx.xxx.xxx.
The response from xxx.xxx.xxx.xxx is then DeNated and sent to
192.168.222.1 via Router B (because it's setup in Router A's routing table
as the gateway to 192.168.222.x).
Does this make sense?
So, it either sounds like a routing problem (maybe your routing tables are
quite right). Or you need to fix you IPTables rules.
Otherwise this has the possibility of working (it works w/ ipchains on our
network).
I'm relatively new to IPTables so I may be wrong or don't understand your
question completely.
sim