Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: howto start with gateway / router / masquerading
Special Forums IP Networking howto start with gateway / router / masquerading Post 302341869 by gratuitous_arp on Thursday 6th of August 2009 07:54:36 PM
Old 08-06-2009
Santiago,

Masquerading is a form of network address translation (NAT). Outside of iptables, masquerading is also commonly called port address translation (PAT). Any packet which leaves a particular interface of the router will have its IP header modified to use the source IP address of the exit interfaced used on the router. Try looking up PAT on wikipedia for a good description.

With your configuration of iptables, any packet leaving any interface on the router should take on the address of the interface which it left. I would think hosts on both of the 172 networks would have problems with reply traffic from hosts on different networks, and nodes on the 192 network would not be able to access hosts on the 172 network but would be able to reach the Internet.

As an example, suppose a PC on the 172.16.70.0 network pings the PC on the 192 network.

When the packet hits the router and is routed to the 192 network, the packet is NATed, and its source IP address changes to 192.168.1.224. The PC on the 192 network gets the ping, and replies to it normally (with a destination IP address of 192.168.1.224).

The router forwards the packet back to the ping originator on the 172 network, but masquerades the source IP address to 172.16.70.254 as it sends it out that interface. The PC on the 172 network is waiting for a reply from 192.168.1.32 -- getting an echo reply from 172.16.70.254 would sound like bogus traffic. Thus, it never receives a reply from the 192 node and you get an error message.

Unless my thinking is fuzzy or iptables is doing something else behind the scenes, it would sound like you only want to masquerade for traffic going out of the 192 interface of the router. Try it out and see if it works as it is. If not, you can tell iptables to only masquerade for traffic leaving the 192 interface by using the '-o <INTERFACE NAME>' option within the iptables command string you posted earlier.
 

4 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Remote Unix printing to my WinXP works with no router. How can I make it work through my router?

I set up remote printing on a clients Unix server to my Windows XP USB printer. My USB printer is connected directly to my PC (no print server and no network input on printer). With my Win XP PC connected to my cable modem (without the router), i can do lp -dhp842c /etc/hosts and it prints. I... (7 Replies)
Discussion started by: jmhohne
7 Replies

2. Linux

GNUGK-How to setup static gateway to gateway routing

Dear Sir I am a newbie in the world of IP telephony. I have been working with Asterisk PBX (SIP) and Cisco Call Manager (MGCP) but now I am learning on how to work GNUGK for H.323 Gatekeeper. I am having a problem, configuring static call routing on GNUGK in the section ... (0 Replies)
Discussion started by: mfondoum
0 Replies

3. UNIX for Beginners Questions & Answers

Inconsistency between RedHat 6.5 global gateway and single gateway leads to loss of default gateway

Dear friends I use RedHat 6.5, which sets the gateway in the configuration file / etc / sysconfig / network as GATEWAY = 192.168.1.26, and the gateway in the configuration file / etc / sysconfig / network-scripts / ifcfg-eth11 as GATEWAY = 192.168.1.256. The two gateways are different.... (6 Replies)
Discussion started by: tanpeng
6 Replies

4. UNIX for Beginners Questions & Answers

Howto auto boot SPARC | How to auto supply "start /SYS" and "start /SP/console" commands

When I power ON my T4-1, I got a prompt -> where I have to start /SYS and start /SP/console. How can I auto supply these two commands ? (3 Replies)
Discussion started by: z_haseeb
3 Replies

LEARN ABOUT FREEBSD

gre

GRE(4)							   BSD Kernel Interfaces Manual 						    GRE(4)

NAME

     gre -- encapsulating network device

SYNOPSIS

     To compile the driver into the kernel, place the following line in the kernel configuration file:

	   device gre

     Alternatively, to load the driver as a module at boot time, place the following line in loader.conf(5):

	   if_gre_load="YES"

DESCRIPTION

     The gre network interface pseudo device encapsulates datagrams into IP.  These encapsulated datagrams are routed to a destination host, where
     they are decapsulated and further routed to their final destination.  The ``tunnel'' appears to the inner datagrams as one hop.

     gre interfaces are dynamically created and destroyed with the ifconfig(8) create and destroy subcommands.

     This driver corresponds to RFC 2784.  Encapsulated datagrams are prepended an outer datagram and a GRE header.  The GRE header specifies the
     type of the encapsulated datagram and thus allows for tunneling other protocols than IP.  GRE mode is also the default tunnel mode on Cisco
     routers.  gre also supports Cisco WCCP protocol, both version 1 and version 2.

     The gre interfaces support a number of additional parameters to the ifconfig(8):

     grekey	  Set the GRE key used for outgoing packets.  A value of 0 disables the key option.

     enable_csum  Enables checksum calculation for outgoing packets.

     enable_seq   Enables use of sequence number field in the GRE header for outgoing packets.

EXAMPLES

     192.168.1.* --- Router A  -------tunnel-------- Router B --- 192.168.2.*
						       /
			 			      /
			  +------ the Internet ------+

     Assuming router A has the (external) IP address A and the internal address 192.168.1.1, while router B has external address B and internal
     address 192.168.2.1, the following commands will configure the tunnel:

     On router A:

	   ifconfig greN create
	   ifconfig greN inet 192.168.1.1 192.168.2.1
	   ifconfig greN inet tunnel A B
	   route add -net 192.168.2 -netmask 255.255.255.0 192.168.2.1

     On router B:

	   ifconfig greN create
	   ifconfig greN inet 192.168.2.1 192.168.1.1
	   ifconfig greN inet tunnel B A
	   route add -net 192.168.1 -netmask 255.255.255.0 192.168.1.1

NOTES

     The MTU of gre interfaces is set to 1476 by default, to match the value used by Cisco routers.  This may not be an optimal value, depending
     on the link between the two tunnel endpoints.  It can be adjusted via ifconfig(8).

     For correct operation, the gre device needs a route to the decapsulating host that does not run over the tunnel, as this would be a loop.

     The kernel must be set to forward datagrams by setting the net.inet.ip.forwarding sysctl(8) variable to non-zero.

SEE ALSO

     gif(4), inet(4), ip(4), me(4), netintro(4), protocols(5), ifconfig(8), sysctl(8)

     A description of GRE encapsulation can be found in RFC 2784 and RFC 2890.

AUTHORS

     Andrey V. Elsukov <ae@FreeBSD.org>
     Heiko W.Rupp <hwr@pilhuhn.de>

BUGS

     The current implementation uses the key only for outgoing packets.  Incoming packets with a different key or without a key will be treated as
     if they would belong to this interface.

     The sequence number field also used only for outgoing packets.

BSD
								 November 7, 2014							       BSD
All times are GMT -4. The time now is 11:09 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy