multiple ip dnat with firewall

Question

i am having a vmware install running multiple VMs i would like 1 of them as a router/firewall where all external IPs are connected to and running different services on the other VMs like apache ftp postfix ... i am a bit lost whit this iptable stuff you can see that both interfaces with external IPs have the same mac i could change that not sure if it makes a difference the provider calls them "failover ip" i can order as many i want

route -n shows the following not sure why there is no entry for ens35 ?!

Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    0.0.0.0         163.172.64.1    0.0.0.0         UG    0      0        0 ens33
    100.200.30.1    0.0.0.0         255.255.255.255 UH    0      0        0 ens33
    192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 ens34

i can reach the router whit ssh from both ips (1.2.3.240 / 11.22.33.50) after the foloving commands not any longer (other ip still works) neither can i reach the other machine whit ssh wich is the target of the exercise

# iptables -t nat -A PREROUTING -d 11.22.33.50 -j DNAT --to 192.168.0.250
# iptables -t nat -A POSTROUTING -s 192.168.0.250 -j SNAT --to 11.22.33.50

do some one see my error ? as long i understand the above should it be everything coming on 11.22.33.50 in should by routed to the other VM and everything the other VM sends should by forwarded as if it would come from 11.22.33.50

/ETC/NETWORK/INTERFACE/ of the router

auto lo
iface lo inet loopback

auto ens33
iface ens33 inet static
        address 1.2.3.240
        netmask 255.255.255.255
        broadcast 1.2.3.240
        dns-nameservers 62.210.16.6 62.210.16.7
        post-up route add 100.200.300.1 dev ens33
        post-up route add default gw 100.200.30.1
        post-down route del 100.200.300.1 dev ens33
        post-down route del default gw 100.200.30.1

auto ens34
iface ens34 inet static
        address 192.168.0.1
        netmask 255.255.255.0
        broadcast 192.168.0.255

auto ens35
iface ens35 inet static
        address 11.22.33.50
        netmask 255.255.255.255
        broadcast 11.22.33.50
        dns-nameservers 62.210.16.6 62.210.16.7
        post-up route add 100.200.300..1 dev ens33
        post-up route add default gw 100.200.30.1
        post-down route del 100.200.300.1 dev ens33
        post-down route del default gw 100.200.30.1

IFCONFIG : of router

ens33     Link encap:Ethernet  HWaddr 00:50:56:00:ed:e4
          inet addr:1.2.3.240  Bcast:1.2.3.240  Mask:255.255.255.255
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17467 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1154 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1124709 (1.1 MB)  TX bytes:236195 (236.1 KB)

ens34     Link encap:Ethernet  HWaddr 00:0c:29:8b:73:4c
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)

ens35     Link encap:Ethernet  HWaddr 00:50:56:00:ed:e4
          inet addr:11.22.33.50  Bcast:11.22.33.50  Mask:255.255.255.255
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:17461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1124367 (1.1 MB)  TX bytes:1040 (1.0 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

/ETC/NETWORK/INTERFACE/ of the second machine

auto lo
iface lo inet loopback

auto ens34
iface ens34 inet static
        address 192.168.0.250
        netmask 255.255.255.0
        broadcast 192.168.0.255
    geteway 192.168.0.1
    network 192.168.0.0
    dns-nameservers 62.210.16.6 62.210.16.7

IFCONFIG : of the second machine

ens34     Link encap:Ethernet  HWaddr 00:0c:29:60:4a:1a
          inet addr:192.168.0.250  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: xxx Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:414 (414.0 B)  TX bytes:1062 (1.0 KB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:160 errors:0 dropped:0 overruns:0 frame:0
          TX packets:160 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:11840 (11.8 KB)  TX bytes:11840 (11.8 KB)

Answer 1

looks like i am getting some where !!!

the key seams to be that ubuntu has routing disabled as default

echo 1 > /proc/sys/net/ipv4/ip_forward this will enable routing till a reboot

and changing /etc/sysctl.conf net.ipv4.ip_forward = 0 --to-> 1 should permanently enable it (not tested yet)

this here is a NAT basic setting but i tested my DNAT settings and they seams to work http://www.revsys.com/writings/quicktips/nat.html

still not sure if i need unique MACs but not really mather for the moment