Between our gateway and our LAN, we have a bridging firewall running iptables. I want to add an additional NIC into the firewall and set up a private subnet on it. Traffic from this subnet which is destined for external addresses will be NAT-ed so that it originates from the IP address configured on the bridge.
I want the firewall to route packets between our LAN and the private subnet without NATing. How can I tell iptables that if a packet from the LAN passes through the bridge and is destined for a private IP that it should send this packet out of the additional non-bridged interface?
Best Answer
We do something quite similar here. 3 subnets behind a CentOS5 "router". Basically we just have iptables set to the follow 'nat' table rule:
iptables -t nat -A POSTROUTING -o <external NIC device> -j SNAT --to-source <external interface IP>
In our case, device is eth1 and the IP is 10.0.0.2 to differentiate from the Class C IP4 subnets we're still using here.
The real work is done by the routing table. If your NICs are configured properly, the routing table entries should already exist.
For instance, we have these two subnets in the routing table:
But the external traffic is handled by the default gateway line:
And traffic coming back in through the NAT is tracked by the netfilter module in the kernel and sent to its originating IP by the 'State RELATED,ESTABLISHED' line in the regular chain FORWARD in iptables:
(Note: Any neckbeard want to correct errors in this, please pop in a comment. I'd love to hear a critique.)