iptables + ebtables + snat question

Jan Engelhardt jengelh at linux01.gwdg.de
Sat Aug 13 14:36:23 CEST 2005


> I have the following setup:
>
> LAN
> | 
> | 
>          if0       ________
> DMZ---if1     if2---|ROUTER|---INTERNET
> \   /      --------
> br0

Your ascii art is totally broken. If you draw ascii at all, use a monospaced 
font!

> LAN_NET = 10.0.0.1
> PUBLIC_NET = 77.25.33.0/28
> (14 hosts - broadcast = .15)
>
> I am doing transparent bridging between if1 and if2
> My ROUTER ethernet iface has IP 77.25.33.1
> my DMZ hosts will have public IPs ranging 77.25.33.2-14
>
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?

Yes.

> Or do I have to assign a IP to my br0 interface?

The bridge itself needs an IP if you want to SNAT to it. Otherwise this would 
happen:

PING from dmz (77.25.33.2) to google.com (216.239.37.99) via
the nexthop (e.g. 77.1.2.3).

The bridge SNATs to 77.25.33.1

The nexthop asks arp-who-has 77.25.33.1 -- no response.
If your bridge does not have an IP, you need some ebtable tricks to make an 
ARP reply.

> I am in deign mode so I was trying to figure out
> if this is possible.
>
> The rule would look like this:
> $IPTABLES -t nat -A POSTROUTING \
> -o $BR0 -j SNAT --to-source $ROUTER_IP
>
> Can this work?


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/



More information about the netfilter mailing list