[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Dual Overlapping NAT
From:       Doug VanLeuven <roamdad () attglobal ! net>
Date:       2002-01-31 19:10:16
[Download RAW message or body]

jbackman@telcordia.com wrote:
> 
> Won't I have a problem with the routing since the destination NAT is
> performed before the routing decision?
> 
> Justin Backman
> 
> Doug VanLeuven writes:
> 
> > jbackman@telcordia.com wrote:
> >>
> >> Help...
> >>
> >> I have a most difficult but interesting situation for which I would like to
> >> use iptables NAT. I have a client who has recently bought another company
> >> which has an internal IP numbering scheme which completely overlaps with
> >> their existing numbering scheme. Instead of renumbering, the client would
> >> like to do the following:
> >>
> >> Company 1 <----> Router1 <----> Linux NAT <----> Router2 <----> Company 2
> >>
> >> Company 1 and Company 2 both have addresses in the 10.0.0.0 address space
> >> The router interfaces are 10.0.1.1 on the internal interfaces of Router1 and
> >> Router2
> >> 192.168.10.1 on the external interface of Router1
> >> 192.168.10.254 on the Linux NAT interface facing Router1
> >> 192.168.100.254 on the Linux NAT interface facing Router2
> >> 192.168.100.1 on the external interface of Router2
> >>
> >> Could someone please assist in creating an iptables rule-set that will
> >> facilitate this configuration?
> >>
> >> Justin Backman
> > Invent the ranges Company 1 is going to see company 2 as, like 172.16.129.x
> > Invent the ranges Company 2 is going to see company 1 as, like 172.16.1.x
> > Left to right - incoming 192.168.10.254
> > Source nat C1-10.x.x.x to 172.16.1.x Dest nat 172.16.129.x to 10.x.x.x
> > Right to left - incoming 192.168.100.254
> > Source nat C2-10.x.x.x to 172.16.129.x Dest nat 172.16.1.x to 10.x.x.x
> >
> > routing on linux nat box
> > route 172.16.1.0/24 via 192.168.10.1
> > route 172.16.129.0/24 via 192.168.100.1
> >
> > I'd pick numbers other than 10.x.x.x for the mapped ranges if I wanted to
> > keep my sanity.
> 

Sorry, unless I'm looking at the guide, I switch when what happens.
So src nat is in postrouting

guess you use iproute2 advanced routing on linux nat box

ip ru add prio 1000 iif <interface from router1> table 100
ip ro add table 100 10.x.x.x/24 via 192.168.100.1

ip ru add prio 1001 iif <interface from router2> table 101
ip ro add table 101 10.x.x.x/24 via 192.168.10.1

It appears it would be almost impossible to originate a connection
without specific host routes
& iproute2 might complain about overlapping addresses.
Never have done this.

probably have to turn off source route verification
echo "0" >/proc/sys/net/ipv4/conf/all/rp_filter
echo "0" >/proc/sys/net/ipv4/conf/default/rp_filter
and by interface although the "all" usually suffices

Regards,
Doug

[prev in list] [next in list] [prev in thread] [next in thread]