Web lists-archives.com

Re: Only using masquerading on internet facing server

Hash: SHA256

Joe wrote:
> On Thu, 14 Mar 2019 09:26:06 +0100
> john doe <johndoe65534@xxxxxxxx> wrote:
>> [...]
>> By the answers in this thread, I guess I need to explane what I have
>> and what I'm trying to do.
>> [...]
>> For now both server (a and b) are responsible for MASQUERADING the
>> networks behind them.
>> So server a MASQUERADEs and server b MASQUERADEs
>> MASQUERADE is only needed on server a.
>> Does it help understanding what I'm trying to do?
>> I really appriciate any help/hint.
> If workstation c connects to a public Internet server, how does the
> reply get back to workstation c through servers a and b?
> It has a private address, which nothing on the Net ever sees, so how can
> a reply packet ever reach it?
> [...]
> So yes, you do need masquerade on both servers. For server a, to
> replace the incoming public destination address with that of server b,
> and server b to replace *that* destination address with that of the
> appropriate workstation.

This is incorrect.  He can add a routing entry to server A -- something
along the lines of: via 172.17.232.x 

The ".x" will have to be whatever IP address serverB has on the 172
network.  Once serverA knows how to get to "network_BC" (i.e., serverB will no longer need to perform any NAT.

ServerA will still handle masquerade for all traffic exiting eth0 to the
internet, and the internet will be none the wiser.



|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281