DNAT for connecting a subnet via proxy to the internet
I want to connect a server in a subnet to the internet via a proxy-server. But I can’t ping a host on the internet (www). Actually the subnet-server and the proxy-server share a common dedicated server (virtualization with docker). There are two network-cards (eth0 for the proxy-server and t39 for the subnet-server). So the general layout goes like this:
Internet <==> 171.16.0.39 | 191.167.1.1 <==> 191.167.1.2
191.167.1.2 is the internal address of the subnet-server, while 171.16.0.39 is the external address and 191.167.1.1 is the internal address of the proxy-server.
First, I have set a static route at the subnet-server with:
ip route add 171.16.0.39 via 191.167.1.1
Question 1: Do I additionally need to explicitly define a default gateway like this?
route add default gw 191.167.1.1 eth0
Or would choosing the external address be the right approach?
Then I have set a Masquerade in the iptable of the proxy-server:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Now can ping from the subnet-server to the proxy-server. But I cannot ping from the proxy-server to the internet (for example 8.8.8.8).
To solve my problem, I also consider establishing DNAT somewhat like this (on proxy-server):
iptables -t nat -A PREROUTING -d 171.16.0.39 -j DNAT --to-destination 191.167.1.2
But doesn’t solve my problems. I still cannot ping from the subnet-server to the internet.
Question 3: Do I need to configure DNAT in conjunction with the MASQUERADE to ping the internet? If so, have I choosen the wrong address?
Finally I have heard, that SNAT is not necessary in presence of a MASQUERADE configuration.
Question 4: Is it advisable to configure SNAT, even if I have already set MASQUERADE?
I’m really confused, how to handle this. Although it seems to be a pretty common configuration, my research on Google during the last couple of days didn’t got me any closer to solve the problem.
Has anyone some hints concerning my questions?
