Exposing private network ip

Question

I have the following setup:

Box A
eth0 - 192.168.1.101
eth1 - 10.10.2.1

Box B
eth0 - 10.10.2.2

Box A has internet access through eth0. I want Box B to be visible on the 192.168.1.0/24 network, so I can ssh to it directly from another box, but Box A must also be available.

I thought about creating a virtual ip to eth0 on Box A and then forward all traffic to Box B with

ifconfig eth0:0 192.168.1.102

iptables -t nat -A PREROUTING -i eth0:0 -j DNAT --to-destination 10.10.2.2

but that doesn't seem to work.

Also ip forwarding is enabled and Box B has internet access with

 iptables -t nat -A POSTROUTING -j MASQUERADE

I am by no means a expert in iptables, but isnt it suppose to be like this "iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 10.10.2.2" — Sarge, Apr 30 '15 at 17:15
Why not use a router? How are you connecting your other systems? — Hyppy, Apr 30 '15 at 18:05
The router connects the 192.168.1.0/24 network to the internet, and box A is connected to this network. @Sarge I want to forward all the traffic, not just the ssh port. — sidj9n, Apr 30 '15 at 18:14
Have you tried `iptables -t nat -A PREROUTING -d 192.168.1.102 -j DNAT --to-destination 10.10.2.2`? That is, matching the traffic by destination address rather than interface alias? I don't think you can match an interface alias that way. — MadHatter, May 01 '15 at 07:40
@MadHatter Thanks, that also worked. I also added `iptables -t nat -A POSTROUTING -j MASQUERADE` on Box A. — sidj9n, May 01 '15 at 12:11

score 1 · Accepted Answer · answered Apr 30 '15 at 22:47

I would approach this by adding a static route on the default gateway in 192.168.1.0/24 network, which would say that all packets to 10.10.2.0/24 network would be routed via 192.168.1.101 node.

Then, you would need to enable IP forwarding on 192.168.1.101.

Then, you would also need to add route to 192.168.1.0/24 via 10.10.2.1 on Box B.

This way you can use the 10.10.2.x and 192.168.1.x addresses in both networks and all traffic would be routed between the networks.

score 0 · Answer 2 · answered May 01 '15 at 16:50

0

You cannot use a virtual interface as the argument to -i. The trick instead is to use the destination address:

iptables -t nat -A PREROUTING -d 192.168.1.102 -j DNAT --to-destination 10.10.2.2

answered May 01 '15 at 16:50

MadHatter

79,770
20
184
232

Exposing private network ip

2 Answers2