Web lists-archives.com

Re: Only using masquerading on internet facing server




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Joe wrote:
> On Thu, 14 Mar 2019 09:26:06 +0100
> john doe <johndoe65534@xxxxxxxx> wrote:
>> [...]
>> By the answers in this thread, I guess I need to explane what I have
>> and what I'm trying to do.
>> 
>> [...]
>> 
>> For now both server (a and b) are responsible for MASQUERADING the
>> networks behind them.
>> So server a MASQUERADEs 172.17.232.0/24 and server b MASQUERADEs
>> 192.168.3.0/24.
>> 
>> MASQUERADE is only needed on server a.
>> 
>> Does it help understanding what I'm trying to do?
>> 
>> I really appriciate any help/hint.
>
> If workstation c connects to a public Internet server, how does the
> reply get back to workstation c through servers a and b?
>
> It has a private address, which nothing on the Net ever sees, so how can
> a reply packet ever reach it?
> [...]
>
> So yes, you do need masquerade on both servers. For server a, to
> replace the incoming public destination address with that of server b,
> and server b to replace *that* destination address with that of the
> appropriate workstation.

This is incorrect.  He can add a routing entry to server A -- something
along the lines of:

  192.168.3.0/24 via 172.17.232.x 

The ".x" will have to be whatever IP address serverB has on the 172
network.  Once serverA knows how to get to "network_BC" (i.e.
192.168.3.0/24), serverB will no longer need to perform any NAT.

ServerA will still handle masquerade for all traffic exiting eth0 to the
internet, and the internet will be none the wiser.


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAlyKMb4ACgkQjhHd8xJ5
ooGGDQgAm+if7k3nGVaz2axefl7gGSqXuDut0A/3NnPJGQD18SaF7BV6pm21OypM
fPjxGvu044RQo1YmEPUWpgyz7uj7IRMaLpr5EkbceMsTPOyLTMBcSSjuPURJpTko
UdH7VwUo+gkzqV3uhTqgzYaUngfq80qTt2NHJQrUIzvNrWg3tjO4ccFJn6U3h40K
Mnb4+u4AM9G9857O7RuXHqkkXeQ2nMqKY+2BpL0+10qsP6TdrlQFj/M2VOoxtNgI
/tokgvps1DC7XTu1JbDtY0u+7WugTTAaer2ZKSMuNpDtE/2+qADjFuP/XQuRjTQ+
vQj9SmzNN4+HC23unSzNU7LMNsB7+g==
=bcsD
-----END PGP SIGNATURE-----

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281