Routing / NAT for Multi Subnet Router

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I have a linux system which is router between several subnets (each also a
different segment), in total 3 different lans, 2 dmz, and 4 internet
connections, my default FORWARD policy is DROP, here is a simplified example
of my config with only two lan segments and internet connection:

Allow forwarding between lans

-A FORWARD -s lan1/mask -j ACCEPT
-A FORWARD -d lan1/mask -j ACCEPT
-A FORWARD -s lan2/mask -j ACCEPT
-A FORWARD -d lan2/mask -j ACCEPT

Are some of those redundant?

Then I want to nat anything that is not to one of the local subnets (i.e. is
going to internet), but the only way I can find to do that is to setup rules
to avoid natting between subnets:

-t nat -A POSTROUTING -s lan1/mask -d lan2/mask -j RETURN
-t nat -A POSTROUTING -s lan2/mask -d lan1/mask -j RETURN

And then a final rule to nat:

-t nat -A POSTROUTING -s lan1/mask -j SNAT --to-source <lan.one.nat.ip>

I used to have a rule like:

-t nat -A POSTROUTING -s lan1/mask -o internet-eth -j MASQUERADE, and that
worked because it only natted packets that were going to the internet, but
now I am using Equal Cost MultiPath and when that doesn't work well with
MASQUERADE, but it does work with SNAT, but with SNAT I cannot use a rule
like that.

Is there a better way to achieve what I desire?

Thanks
Andy

JOSEDV001TAG 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux