Web lists-archives.com

Re: Only using masquerading on internet facing server

On Thu, 14 Mar 2019 09:26:06 +0100
john doe <johndoe65534@xxxxxxxx> wrote:

> On 3/13/2019 1:39 PM, Stefan Monnier wrote:
> >> Ip range on server a:
> >> IP range on server b:  
> >
> > That's very vague.
> > But I'll assume that your "server b" has an address 172.17.232.NN
> > on one network interface and on another.
> >  
> >> If I enable MASQUERADING on server b everything works as expected
> >> but as soon as I disabled MASQUERADING on server b the hosts
> >> behind it don't have internet access for example.
> >> What do I need to do on server a to properly MASQUERADE server b?  
> >
> > My guess is that on "server a" you have not setup routing so as to
> > send all the packets to "server b".
> >
> > IOW on "server a" you need to do something like
> >
> >     route add -net gw 172.17.232.NN
> >
> >  
> Thanks to anyone who has contributed to this question.
> By the answers in this thread, I guess I need to explane what I have
> and what I'm trying to do.
> Server a and server b are identical, server a is the internet facing
> server which has one network behind it (eth1 and eth0
> is the interface connected to the internet), server b is behind
> server a and connected using the eth0 interface.
> Server b is behind server a and is connected to server a through eth0,
> server b has one network behind it (eth1
> For now both server (a and b) are responsible for MASQUERADING the
> networks behind them.
> So server a MASQUERADEs and server b MASQUERADEs
> MASQUERADE is only needed on server a.
> Does it help understanding what I'm trying to do?
> I really appriciate any help/hint.

If workstation c connects to a public Internet server, how does the
reply get back to workstation c through servers a and b?

It has a private address, which nothing on the Net ever sees, so how can
a reply packet ever reach it?

The answer is that for both masquerading and stateful firewall
functioning, a router (and both of your servers are routers) must keep
a list of outgoing connections, and use it to process return packets for
the sending internal computer. The firewall lets the appropriate packets
in, the masquerade deals with the routing. Incoming replies leaving
server a will all have a destination address of server b. How is server
b to know what destination address to change it to? 

So yes, you do need masquerade on both servers. For server a, to
replace the incoming public destination address with that of server b,
and server b to replace *that* destination address with that of the
appropriate workstation.

I've always run like that, my router does masquerading and so does my
separate firewall. As far as I know, that doesn't stop any protocol
from passing through, though some (like ftp) need extra kernel modules
to associate two or more protocols or ports.