0

I have two servers and server_1 is connected to INTERNET port (of server farm) at eth0. No switch. They connected with cable from (server_1)eth1 -> (server_2)eth0 :

ifconfig of (server_1):
eth0    inet addr:199.203.51.24,
eth0:1  inet addr:212.235.19.200,
eth1 inet addr:10.0.0.1

ifconfig of (server_2):
eth0   inet addr:10.0.0.2

I want to connect server_2 to the internet with server_1, and get for him a static IP address from gatway at (server_1)eth0 .

tried using iptables at (server_2) like this:

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.2 -j SNAT --to-source 212.235.19.203
iptables -t nat -A PREROUTING -d 212.235.19.203 -j DNAT --to-destination 10.0.0.2

while the masking IP is 212.235.19.203 . that's works fine only for the world, but!! inside server_2 trying to ping 212.235.19.203 don't work!

HBruijn
  • 77,029
  • 24
  • 135
  • 201
shlomi
  • 1
  • 2
    That sounds like the common problem called hairpin NAT, [this answer](http://serverfault.com/questions/495823/nat-port-forwarding-with-iptables-firewall/496262#496262) might help. – HBruijn Jul 23 '14 at 12:38
  • Don't use MASQUERADE if your server has a static IP. – hookenz Nov 26 '14 at 19:17

2 Answers2

1

Your iptables rules are broken in multiple ways. First of all, your POSTROUTING chain has two rules, but the first one matches every packet, so the second rule is never used.

Secondly, your SNAT and MASQUERADE rules should only be applied to packets leaving on eth0.

But since 212.235.19.203 is allocated to just one machine, you may be better off not using NAT at all.

An alternative solution is that you let the host currently assigned 10.0.0.2 actually have 212.235.19.203 assigned to the physical network interface (with netmask 255.255.255.255). The gateway need a static route indicating that 212.235.19.203/32 is locally connected on eth1. Additionally, you can turn on proxy_arp on eth0.

With that combination you'll have the IP address truly routed to the intended host, which will make everything work better. You can avoid NAT rules for that IP, you can still filter traffic in the FORWARDING chain, if you want firewalling.

kasperd
  • 30,455
  • 17
  • 76
  • 124
0

I suppose you tried the iptables at (server_1) instead of (server_2) as you said.

The problem here is that (server_2) doesn't know that it has to answer packets whose destination is 212.235.19.203.

One posible solution is to use the following in (server_2):

iptables -t nat -I PREROUTING -d 212.235.19.203 -j REDIRECT
Juan Cespedes
  • 136
  • 4