Do not assign IP address A to any interface on the router machine. Also, make sure that the route tables will send traffic for 10.10.4.5 out the appropriate interface (eth2). Example: router:eth0 = 10.10.5.10 router:eth1 = 2.2.2.1 --> 2.2.2.5 router:eth2 = 10.0.0.2 --> 10.10.4.5 NAT: src: any, dst: 10.10.4.5, int: eth0 --> src: orig, dst: 2.2.2.5 FLOW: 1. some client sends packet to 10.10.4.5 2. outside world routes packet to router:eth0 3. NAT rule translates packet destination to 2.2.2.5 4. router sends packet to 2.2.2.5 5. 2.2.2.5 sends packet back to router:eth1 6. NAT rule does not match -- restricted to eth0 7. router sends packet out eth2 to 10.10.4.5 based on routing tables The return traffic could either go back through the proxy (if 2.2.2.5 changes the source IP). Or the return traffic could go directly back to the external client. I have done similar setups regularly, just not on linux. However, I do not see any reason why linux could not handle this. On Mon, 23 Aug 2004, Josan Kadett wrote: > Indeed, I can change the IP number of eth0 interface; the problem is that I > am not sure whether after this change, the destination NAT scheme will still > be working: > > Consider this; > > Eth0 has IP address A > Eth1 has IP address B -> Host connected to eth1 has the same IP address A > > When client C connects to A from eth0, the destination has to be translated > to IP address A which is in a different interface. > > If I change the IP address of Eth0 to X now, a client would still wish to > connect to the IP address A, but now my ethernet interface does not have > such an address so how is NAT supposed to work in this situation ? > > Having two different routes to one place would not be an issue, but this > time, the local-loopback's route takes precedence over anything. If I > disable its route, now again it insits on that route and since system cannot > find that internal route, it fails to connect. > > That could be summarized as follows; > > If I wish to send a ping to a host in a different subnet whose IP is exactly > the same as one of the IP addresses I have assigned the system, there is no > clear way to tell the system not to use loopback device and instead send the > datagram over the route I want (even if I explicitly specify it, no avail) > > But I am sure there is a way to do it because this is linux and it is open. > Perhaps such an unusual NAT configuration could not be established right > away, but there must be a method... > > -----Original Message----- > From: asterr [mailto:asterr@pobox.com] > Sent: Monday, August 23, 2004 4:57 AM > To: Josan Kadett > Cc: linux-net@vger.kernel.org > Subject: Re: Very unusual NAT configuration... > > If I read this correctly, you seem to be expecting the linux router to have > two different routes to 10.10.4.5. > - one because eth0 is 10.10.4.5 > - one because another host with 10.10.4.5 is off eth2 > > This routing situation will cause great grief, even if there is a way to > make it work. I suspect, it just won't work. > > However, you could get out of this situation if you can reassign the > IP address on eth0. Then, your routes should work. > > As long as the outside world still routes traffic for 10.10.4.5 into eth0, > your existing NAT should work to send traffic to 2.2.2.5. > > As long as the NAT above is only defined for inbound traffic on eth0, > 2.2.2.5 should be able to send traffic back to the internal host at > 10.10.4.5. > > -Aaron > > On Mon, 23 Aug 2004, Josan Kadett wrote: > > > I have just resolved that checksum issue; but I have another one now... A > > very complicated and usual type of NAT has to be established between two > > networks, here are the details; > > > > These are the interfaces and information about them > > > > eth0 - This interface has the IP address of 10.10.4.5 with gateway > 10.10.4.1 > > eth1 - This interface has the address of 2.2.2.1 and is a NAT gateway > itself > > which is connected to a single machine with IP 2.2.2.5 > > eth2 - This interface has the address of 10.0.0.2 and connects to a > private > > LAN > > > > I wish to do the following operation with these three interfaces; > > > > - [any] request from outside to eth0's local IP number 10.10.4.5 must > first > > be redirected to 2.2.2.5 [that machine connected to eth1] > > - The machine [2.2.2.5] that gets redirected packets from 10.10.4.5 must > > send them back 10.10.4.5** > > !! But this 10.10.4.5 is a different host, not the local IP number > assigned > > eth0. This causes all the problem in this scheme now... > > > > To simplify the issue I could explain the following; > > > > Consider that there is machine with two ethernet ports: > > - 1st Ethernet port has an address assigned as 10.10.4.5 > > - 2nd Ethernet port has an address assigned as 10.0.0.2 > > > > These two networks are not in the same subnet physically, they are > separate > > networks: > > > > In the subnet to which the 2nd ethernet port is connected, there is a host > > whose address is the same as 10.10.4.5, and this address of this host must > > not be changed. So there are two networks, and two different hosts on both > > with the same address. > > > > What can I do to resolve the issue without changing the IP addresses. > > (Indeed if I change the addresses it would be very easy, but it will not > be > > convenient for our current network. We are just trying to connect one > > network to the other through two hosts that have the same IP address. > > > > Any urgent help would be greatly appreciated... > > > > -----Original Message----- > > From: asterr [mailto:asterr@pobox.com] > > Sent: Monday, August 23, 2004 2:33 AM > > To: Josan Kadett > > Cc: linux-admin@vger.kernel.org > > Subject: Re: Turning off TCP and UDP checksum in kernel level > > > > Rather than modify the TCP stack, you might want to look at setting up > > a NAT translation on the linux box. See iptables for details. > > > > I haven't thought this all the way through, but you problaby want some > rules > > like: > > > > src: 192.168.1.1, dst: $LINUX_IP_ADDRESS, port: any, state: any > > translates to: > > src: 192.168.77.1, dst: $LINUX_IP_ADDRESS, port: orig, state: orig > > > > -Aaron > > > > > > > > > > > > > > > > > > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
