Re: Only using masquerading on internet facing server
- Date: Thu, 14 Mar 2019 10:49:35 -0000 (UTC)
- From: Dan Purgert <dan@xxxxxxxx>
- Subject: Re: Only using masquerading on internet facing server
-----BEGIN PGP SIGNED MESSAGE-----
> On Thu, 14 Mar 2019 09:26:06 +0100
> john doe <johndoe65534@xxxxxxxx> wrote:
>> By the answers in this thread, I guess I need to explane what I have
>> and what I'm trying to do.
>> For now both server (a and b) are responsible for MASQUERADING the
>> networks behind them.
>> So server a MASQUERADEs 172.17.232.0/24 and server b MASQUERADEs
>> MASQUERADE is only needed on server a.
>> Does it help understanding what I'm trying to do?
>> I really appriciate any help/hint.
> If workstation c connects to a public Internet server, how does the
> reply get back to workstation c through servers a and b?
> It has a private address, which nothing on the Net ever sees, so how can
> a reply packet ever reach it?
> So yes, you do need masquerade on both servers. For server a, to
> replace the incoming public destination address with that of server b,
> and server b to replace *that* destination address with that of the
> appropriate workstation.
This is incorrect. He can add a routing entry to server A -- something
along the lines of:
192.168.3.0/24 via 172.17.232.x
The ".x" will have to be whatever IP address serverB has on the 172
network. Once serverA knows how to get to "network_BC" (i.e.
192.168.3.0/24), serverB will no longer need to perform any NAT.
ServerA will still handle masquerade for all traffic exiting eth0 to the
internet, and the internet will be none the wiser.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5 4AEE 8E11 DDF3 1279 A281