0

I want to allow connectivity between two hosts which reside on two different networks. Each network is individually managed, so they may have conflicting IPs. My understanding is that NAT is the textbook way of doing this, so to the best of my understanding I should have a machine that has two interfaces, one on each network, like so:

Network A Network B +---------------+ 1.1.1.0 2.2.2.0 +---------------+ | | eth0 +----------+ eth1 | | | 1.1.1.1 |---------| NAT |---------| 2.2.2.2 | +---------------+ +----------+ +---------------+

So the NAT machine has eth0 connected to network A and eth1 connected to network B. Suppose that the NAT machine's IP on network A is 1.1.1.0 and on network B it's 2.2.2.0. Now, 1.1.1.1 wants to communicate with 2.2.2.2:8080 by redirecting 1.1.1.0:1111 to network B's 2.2.2.2:8080.

I believe I can do this with iptables as follows:

iptables -t NAT -A PREROUTING -i eth0 -d 1.1.1.0 --dport 1111 -j DNAT --to 2.2.2.2:8080 iptables -t NAT -A POSTROUTING -o eth1 -d 2.2.2.2 --dport 8080 -j SNAT --to-source 2.2.2.0

So far so good.

What happens, however, if the IPs on both networks are identical (as can happen since the networks are independent)? The above turns to:

Network A Network B +---------------+ 1.1.1.0 1.1.1.0 +---------------+ | | eth0 +----------+ eth1 | | | 1.1.1.1 |---------| NAT |---------| 1.1.1.1 | +---------------+ +----------+ +---------------+ iptables -t NAT -A PREROUTING -i eth0 -d 1.1.1.0 --dport 1111 -j DNAT --to 1.1.1.1:8080 iptables -t NAT -A POSTROUTING -o eth1 -d 1.1.1.1 --dport 8080 -j SNAT --to-source 1.1.1.0

If I understand the chains correctly, then when the a packet to 1.1.1.0:1111 arrives on eth0, its dest IP will be changed to 1.1.1.1. At that point, the packet has to be routed, but since 1.1.1.1 exists on both networks, how will the NAT machine know which network to route the packet to? Can I force it to route such packets through eth1? How do I set up my routing table to do that?

I suppose that the routing logic might guarantee never to route a packet back to its incoming interface, but this won't be good enough if I want to use the same NAT machine to connect network A to networks B and C (i.e. have three interfaces): in that case, the incoming interface would be eth0, and the outgoing interface can be either eth1 or eth2: how can I choose the one I want to use?

Improve this question

1 Answer 1

Reset to default
0

Your second configuration will not work when there are overlapping IP configurations on either side of the NAT. This even holds true when there is an intermediate network between the NAT(s) - e.g. two NATted networks hosting overlapping IP plans (like 192.168.1.0/24) connected across the Internet.

Improve this answer
5
  • Are you sure? This seems weird - the only thing required here is for the NAT configuration to specify the outgoing interface. It sounds like it should be possible, no? Is there a fundamental reason this can't work? Can you suggest an alternative way? Commented Aug 24, 2011 at 17:09
  • BTW, do you know how the routing decision will be made in this case? Am I guaranteed that the packet will not be routed back to the interface it was received on? I suppose I can use a single NAT machine per network (e.g. to connect A to B and C, I'll have NAT between A and B, and another NAT between A and C). Commented Aug 24, 2011 at 17:44
  • Here you go... Information here (tcpipguide.com/free/t_IPNATOverlappingTwiceNATOperation.htm) described "Overlapping" or "Twice" NAT which will support the configuration you described. It appears that at least some Cisco products support this functionality - but don't bet on the Linksys stuff. Most SOHO NAT implementations DO NOT. Commented Aug 24, 2011 at 21:14
  • @user48838 This Twice NAT thing sounds exactly like what the OP wanted to do. But how will the NAT machine know how to route the packets once you replace the destination address? Commented Aug 25, 2011 at 10:24
  • The presentation link goes into detail the required logic. Commented Aug 25, 2011 at 12:37

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.