NAT on virtual IP doens't work

[pepsidrinker]

Hi there, thanks for readin this post.
We have the following school project that I can't seems to make correctly:

We need to make a whole subnet communicate with the internet through another subnet's gateway using iptables, with a difficulty option, only 1 NIC.

I know its seems complicated, but it's not that bad. Please keep reading and let me explain.


Let's say we have subnet (number 1) = 10.1.2.0/24, gateway 10.1.2.1.

I have another subnet (number 2)= 192.168.1.0/24, gateway 192.168.1.1

Subnet 1's (10.1.2.1) gateway doesnt have a WAN connection.
Subnet 2's (192.168.1.1) does.

Which means all 192.168.1.XXX can communicate with internet, while all 10.1.2.XXX cannot.


Not, the goal of the project is to give 10.1.2.1 a possibility to NAT packet comming fomr it's subnet to 192.168.3.1, so the subnet 10.1.2.XX will have access to the internet.


Now, since 10.1.2.1 (the gateway) only have 1 NIC, we make it hold virtual IPs.
eth0:0 = 192.168.1.35 (static)
eth0:1 = 10.1.2.1 (static, begin the 10.1.2.0/24 gateway)

The routes are OK and I can ping correctly on both subnet.
I can even ping the internet from eth0:0 !! (192.168.1.35)


I tought using the following iptables command from the 10.1.2.1's machine would do the trick:

iptables -t nat -A POSTROUTING -s 10.1.2.0/24 -j SNAT --to-source 192.168.1.35

But for some reason, 192.168.1.1 doesnt even receive any packet from it's log, except when it's not NATed (when it comes directly from 192.168.1.35), which let me think the iptables command above doesnt work correctly.


Any way I could fix this?

Thanks for reading, I know it's a complicated problem !!

(In fact, it's not that bad, I want to NAT all packet from a gateway to another, but having only 1 NIC).

[syd05]

Hi,

First, check if ip forwarding is enabled

Code:

cat /proc/sys/net/ipv4/ip_forward

If the value is 0 then enable it by giving the following command:

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

Second, you need to have packets to be accepted by the FORWARD chain:

Code:

iptables -I FORWARD -s 10.1.2.0/24 -j ACCEPT
iptables -I FORWARD -d 10.1.2.0/24 -j ACCEPT

POSTROUTING command seems okie.

--Syd

[pepsidrinker]

Thanks for the answer.
For an unknown reason, still doesnt work.
Guess I'll have to wait for the teacher's answer on this one!
Tks a lot for your time btw.

[syd05]

Hi,

Just to verify, can you try pinging one of the systems in the 192.168.1.0 segment from 10.1.2.0 segment other than from 10.1.2.1

While pinging, just verify that the packets count on 10.1.2.1 increases for SNAT rule with the command

Code:

iptables -t nat  -nvL

Also check in tcpdump if the packets are being received by 10.1.2.1

As an alternative, just add the POSTROUTING rule and set the default policy of FORWARD, OUTPUT, INPUT chains to ACCEPT with no rules listed for the respective chains.

--Syd