Hello,
Mike Williams a écrit :
At the moment I'm looking at NATting stuff to 3 different zones (private
networks), and hopefully bridging to a 4th zone.
It'll have 10 nics, all paired off into round-robin bonds, so 5 usuable
interfaces. 1 colo facing, 3 private, 1 "public".
What interfaces do you plan to bridge ?
Can you DNAT packets to IPs X, and Y, Z assigned to a bridge, while bridging
those IPs not assigned to it?
First, bridging and DNAT don't take place at the same network layer.
Bridging takes place at layer 2 and DNAT at layer 3 or 4. You bridge
ethernet frames (possibly transporting IP packets but it doesn't matter)
according to their MAC addresses, and this process is transparent for
the TCP/IP stack. You DNAT IP datagrams (possibly transported in
ethernet frames) according to their IP addresses and TCP or UDP ports. A
bridge can be considered as a virtual ethernet switch whose ports are
the bridged interfaces. On the host, it creates a bridge interface
"hiding" the bridged interfaces, just as a bond interface hide the
enslaved interfaces. So the kernel routing and Netfilter/iptables will
only see packets from the bridge interface, not those from the bridged
interfaces.
I assume you plan to bridge the "colo" and "public" interfaces.
colo public
| |
| |
bridge interface
|
|
TCP/IP stack (routing, iptables, NAT, filtering)
| | |
| | |
private interfaces
The bridge catches incoming ethernet frames before the IP stack can see
them. So an ethernet frame forwarded from colo to public does not hit
the IP stack, unless it is an ethernet broadcast.
To try to answer your question, you can DNAT IP datagrams transported by
ethernet frames which are not bridged to another interface.
