Réf. : Re: NAT through a router ?

Krepper Guillermo billy@ciudadglobal.com.ar
Wed, 18 Jul 2001 15:19:48 -0300 

First of all, thank you very much for your reply !!

I will try all this at night and reply my results.

One of my questions is: 
will iptables on router A, NAT a private address (192.168.222.1) that it does 
not have as an interface?

Sim: 
you are doing something like this? could you send me how you make ipchains do 
your NAT. I'm not an expert on ipchains or iptables, but yould like to have a 
look at it, maybe I'm doing something wrong (I'm sure).
Other thing I don't understand is why do you say i need a rule for each 
network, I'm actually using 2 rules one for (192.168.220.0/24 and 
192.168.221.0/24) and the second for 192.168.222.0/24.


thank again
Krepper Guillermo



On Wednesday 18 July 2001 01:50 pm, R.DAVIDOVICH@cvitkovic-ac.fr wrote:
> Let's remake the scheme...
>
>
>
> internet -------- x.x.x.x | router A |   192.168.220.254 -------------
> 192.168.220.0/24 (lan 1)
>                     192.168.221.254 ------------- 192.168.221.0/24 (lan 2)
>
>
>                                   ----- 192.168.221.1 | router B |
> 192.168.222.254 ---- 192.168.222.0/24 (lan3)
>
> ok..for starting.. I apologize, because I didn't see the "192.168.221.1"
> interface in router B  :-(
>
> now, if from lan 3 we can reach either lan 1 or 2, and the very opposite,
> from lan 1 and 2 we can reach lan 3, the inside routing and gateways are
> ok, and I guess we shouldn't touch them...
>
> I guess that Simeon is right... maybe we should try to add a NAT rule in
> router A from ext_ip to 192.168.222.0/24 with 192.168.221.1 as the gateway
> and see what happens...
>
> this is your rule...
>
> > iptables -t nat -A POSTROUTING -o eth1 -s 192.168.220.x -j SNAT --to
>
> 200.1.1.x
>
> maybe something like:
>
> iptables -t nat -A POSTROUTING -o eth(the one with the 192.168.221.254
> address) -s 192.168.222.x -j SNAT --to 200.1.1.x
>
> should do...
>
> Best regards
>
> ---------------------------------------------------
> Raul Davidovich
> Adm Réseaux et Systèmes
> Cvitkovic & Associés Consultants
>
> (33) 1 45 15 40 68
> (33) 1 45 15 40 41 Fax
> -------------------------------------------------------
> http://www.caconcology.com
>
> |--------+------------------------------->
> |
> |        |          Simeon Johnston      |
> |        |          <simeonuj@eetc.com>  |
> |        |          Envoyé par :         |
> |        |          netfilter-admin@lists|
> |        |          .samba.org           |
> |        |
> |        |
> |        |          18/07/2001 17:30     |
> |        |          Veuillez répondre à  |
> |        |          simeonuj             |
> |
> |--------+------------------------------->
> |
>   >------------------------------------------------------------------------
>   >---------------------------------------------------------------------|
>   >
>   |       Pour :  IPTables <netfilter@lists.samba.org>                     
>   |                                                                     |
>   | cc :                                                                   
>   |                                                               | Objet :
>   |      Re: NAT through a router ?                                        
>   |                                                       |
>   |
>   >------------------------------------------------------------------------
>   >---------------------------------------------------------------------|
>
> .DAVIDOVICH@cvitkovic-ac.fr wrote:
> > The problem is that you don't have any NAT at all for the network
> > 192.168..222.0/24, so the computers inside it (including the router) just
> > "don't know" how to reach internet, and for the outside world, they
>
> "don't
>
> > exist".
> > what you should do is to add a third interface in the router A with a NAT
> > to 192.168.222.0/24, with an address 192.168.222.1 (for example.. just to
> > have it clear).. in the router B you set up as default gateway the router
> > A, and in the rest of the computers inside the 192.168.222.0/24 network
>
> set
>
> > up the router B as the default gateway.
>
> The whole thing about adding another interface doesn't make sense IMO.  All
> you should need is routing rules and NAT.
>
> Internet
>
> Router A (NAT) NEEDS a SEPERATE rule for every subnet.
>
> |                          And, needs Router B setup as a the gateway to
>
> 192.168.222.x
>
> |          192.168.220.0/24
> |          192.168.221.0/24
>
> Router B (no NAT) w/ Router A as the default GATEWAY <--------
>            192.168.222.0/24
>
> So lets think this through.
>
> 192.168.222.1 sends a request for address xxx.xxx.xxx.xxx.  Router B see's
> this and routes it to Router A (because it's the default GW).  Router A
> sees the request from 192.168.222.1 and NAT's it out to xxx.xxx.xxx.xxx.
> The response from xxx.xxx.xxx.xxx is then DeNated and sent to
> 192.168.222.1 via Router B (because it's setup in Router A's routing table
> as the gateway to 192.168.222.x).
>
> Does this make sense?
>
> So, it either sounds like a routing problem (maybe your routing tables are
> quite right).  Or you need to fix you IPTables rules.
> Otherwise this has the possibility of working (it works w/ ipchains on our
> network).
>
> I'm relatively new to IPTables so I may be wrong or don't understand your
> question completely.
> sim




-- 
-------------------------------------------------------
I do it for the challange ..
-------------------------------------------------------