Iptables – NAT and iptables

iptablesnat;

I am new to iptables and NAT. But I am working on it through various material both in online and books. I have a doubt regarding NAT implementation using iptables.

Let us suppose my network scenario is as shown below.

                  linuxbox2 (10.0.0.3)
                    |
                    |
linuxbox1-------- Switch ----- INTERNET
(10.0.0.2)        (194.160.1.1)

My Linux boxes 1 & 2 connect to the internet via switch and I have only one Public IP-Address(194.160.1.1). But the communication is a bit strange. box2 does not connect directly to outerworld via switch. But it is in vlan with box1. Hence traffice from box2 goes to box1 then travels down to switch to connect to outer world. We does natting at box1

Since we try to masquerade to the same public ip-address what should be the rules in iptable.

My question might be strange but I am not able to explain it clealry …

Started a new thread with more details and outputs at

Iptables and SNAT

Best Answer

If I understand your question well, Box 2 is in a VLAN with Box 1, and Box 1 is in another VLAN as well which has access to the Internet.

Assuming the first VLAN is e.g. VLAN 100 and the second VLAN is VLAN 200, I assume you configured VLANs correctly on Box 1 and thus you have two network interfaces for the two VLANs (typically eth0.100 and eth0.200).

In this case the solution is simple, on Box 1:

iptables -t nat -A POSTROUTING -o eth0.200 -j MASQUERADE

With this command Box 1 will NAT-masquerade packets to the Internet on VLAN 200. Thus when Box 2 will send packets to Box 1 on VLAN 100, Box 1 will forward them to VLAN 200.

Make sure IP forwarding is enabled on Box 1 (sysctl -w net.ipv4.ip_forward=1).

Related Solutions

Linux – Postgresql behind firewall: Query takes too long

Some things to try:

Start off by verifying your network is behaving itself. Assuming you have managed switches, look at the interface statistics for speed/duplex mismatching or a mismatched MTU. Consider checking / replacing cabling if anything is running errors (eg: trying to run GigE over Cat5 instead of Cat5e will likely give grief).
Run some tests to prove you can get wire-speed transfers between the two machines and to the external machine; netcat, ftp or http transfers are a good start here (scp may get CPU bound, and thus, may not be the best test).
Test the same query locally on the Postgres server. If it completes in an appropriate timeframe, you know it's not the database. If it doesn't complete or takes "too long", then you have a bad query or other database problem to debug. Make sure to consider the storage I/O side of things; you may be saturating what your disks are capable of providing. Check the VMware performance graphs to confirm / deny.
Assuming that works, disable the firewall and run the same query against the postgres server from "box1". If that works, the VM->VM connectivity is likely fine.
Assuming that works, bring the firewall back up and test again. If that works, then your problem is likely external to that host, leaving the switch or the external host to debug.

Good luck.

Iptables and SNAT

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

Best Answer

Related Solutions

Linux – Postgresql behind firewall: Query takes too long

Iptables and SNAT

Related Topic