iptables + ebtables + snat question
jengelh at linux01.gwdg.de
Sat Aug 13 14:36:23 CEST 2005
> I have the following setup:
> if0 ________
> DMZ---if1 if2---|ROUTER|---INTERNET
> \ / --------
Your ascii art is totally broken. If you draw ascii at all, use a monospaced
> LAN_NET = 10.0.0.1
> PUBLIC_NET = 184.108.40.206/28
> (14 hosts - broadcast = .15)
> I am doing transparent bridging between if1 and if2
> My ROUTER ethernet iface has IP 220.127.116.11
> my DMZ hosts will have public IPs ranging 18.104.22.168-14
> My question is can Masquerade (SNAT) my LAN
> IPs and use the ROUTER ethernet IP
> as a --to-source target?
> Or do I have to assign a IP to my br0 interface?
The bridge itself needs an IP if you want to SNAT to it. Otherwise this would
PING from dmz (22.214.171.124) to google.com (126.96.36.199) via
the nexthop (e.g. 188.8.131.52).
The bridge SNATs to 184.108.40.206
The nexthop asks arp-who-has 220.127.116.11 -- no response.
If your bridge does not have an IP, you need some ebtable tricks to make an
> I am in deign mode so I was trying to figure out
> if this is possible.
> The rule would look like this:
> $IPTABLES -t nat -A POSTROUTING \
> -o $BR0 -j SNAT --to-source $ROUTER_IP
> Can this work?
| Alphagate Systems, http://alphagate.hopto.org/
More information about the netfilter