Is it possible and if yes how to set up SNAT with iptables but not some machine or some network Destination?
I have indeed 2 routers behind my router with iptables (1 for internet (I did not hand over the other for a private network)
Printable View
Is it possible and if yes how to set up SNAT with iptables but not some machine or some network Destination?
I have indeed 2 routers behind my router with iptables (1 for internet (I did not hand over the other for a private network)
I do not understand anything!
If you just take a minute to read, you should watch ... it's incomprehensible!
So if you want help, take the time to describe the layout, organization, addressing, ... This is not an exercise in presentation, this may be an opportunity to find the reasons for your schema.
It is quite common to have 3 routers in its network. There must be reasons.
The rest is easy if the logic is clear.
It is indeed incomprehensible! Let me explain: Consider the diagram as given in attachment.
We made the following assumptions:
R1 is a router which I can not act (I can not change the routing table and let it all go to the Internet)
R2 and R3 have Internet access
R2 and R3 have 3 legs each of which connected to the router R1, on the other two legs there are 2 networks symbolized by the diagram of PC
The routing table of R2 and R3 allow communication between all the PCs, these communications are not SNAT
If I want the PC that can access the Internet, R2 and R3 must SNAT.
My question is: Is it possible to configure iptables with SNAT for the SNAT is done only for communications PCs -> Internet and communications PC <-> PC to do so without address translation ?
Hoping that it may be a little clearer!
Above diagram illustrates "why be simple when you can make it complicated."
I write what I understand each of the 4 networks should be directly (ping from one to another).
1st idea: 1 router with 4 interfaces: too easy.
2nd idea: Only routers ie routers without any address translation, but with roads (cross). Anyway the router R1 will do the translation (necessary) for the Internet.
In the latter case, a simple "ip_forward = 1" longer routes (ip route add xxxx mask yyyy dev ethX via R3) and it runs. In addition there is no SNAT to be hidden.
It must be hidden. He must learn the routes to the 4 other internal networks.
But since he can not do anything, you INTERLEAVED a fourth router judiciously placed.
Between Unmanaged and the other two.
And you earn one 'small' DMZ plus if your new router is a bit firewall
Thank you Snake08, I forgot an important routes that the router R1 is imperative to know.
Thus
Ground 1: 1 router / firewall with 4 interfaces:
=> It hidden traffic to the router R1 (which sees only its address) and each interface between road
Ground 1: 1 router with 4 interfaces:
=> The router R1 must know the 4 networks (via the intermediate router) router and the road between the 4 interfaces.
Ground 2: 1 router / firewall Intermediate (with DMZ if necessary):
=> It hidden traffic to the R1 router (which sees only its address)
=> And he must know the 4 networks (via each router)