Re: Only using masquerading on internet facing server

To: debian-user@lists.debian.org
Subject: Re: Only using masquerading on internet facing server
From: Dan Purgert <dan@djph.net>
Date: Thu, 14 Mar 2019 10:49:35 -0000 (UTC)
Message-id: <[🔎] slrnq8kcdu.n0k.dan@djph.net>
References: <[🔎] 3dc79f95-2ddc-814b-afa6-8e5e81ac22cc@mail.com> <[🔎] jwvd0mveyvo.fsf-monnier+gmane.linux.debian.user@gnu.org> <[🔎] 19d293e5-5b4d-310a-784d-8f07d22f7fd5@mail.com> <[🔎] 20190314091123.0d317f87@jresid.jretrading.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Joe wrote:
> On Thu, 14 Mar 2019 09:26:06 +0100
> john doe <johndoe65534@mail.com> wrote:
>> [...]
>> By the answers in this thread, I guess I need to explane what I have
>> and what I'm trying to do.
>> 
>> [...]
>> 
>> For now both server (a and b) are responsible for MASQUERADING the
>> networks behind them.
>> So server a MASQUERADEs 172.17.232.0/24 and server b MASQUERADEs
>> 192.168.3.0/24.
>> 
>> MASQUERADE is only needed on server a.
>> 
>> Does it help understanding what I'm trying to do?
>> 
>> I really appriciate any help/hint.
>
> If workstation c connects to a public Internet server, how does the
> reply get back to workstation c through servers a and b?
>
> It has a private address, which nothing on the Net ever sees, so how can
> a reply packet ever reach it?
> [...]
>
> So yes, you do need masquerade on both servers. For server a, to
> replace the incoming public destination address with that of server b,
> and server b to replace *that* destination address with that of the
> appropriate workstation.

This is incorrect.  He can add a routing entry to server A -- something
along the lines of:

  192.168.3.0/24 via 172.17.232.x 

The ".x" will have to be whatever IP address serverB has on the 172
network.  Once serverA knows how to get to "network_BC" (i.e.
192.168.3.0/24), serverB will no longer need to perform any NAT.

ServerA will still handle masquerade for all traffic exiting eth0 to the
internet, and the internet will be none the wiser.


-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEBcqaUD8uEzVNxUrujhHd8xJ5ooEFAlyKMb4ACgkQjhHd8xJ5
ooGGDQgAm+if7k3nGVaz2axefl7gGSqXuDut0A/3NnPJGQD18SaF7BV6pm21OypM
fPjxGvu044RQo1YmEPUWpgyz7uj7IRMaLpr5EkbceMsTPOyLTMBcSSjuPURJpTko
UdH7VwUo+gkzqV3uhTqgzYaUngfq80qTt2NHJQrUIzvNrWg3tjO4ccFJn6U3h40K
Mnb4+u4AM9G9857O7RuXHqkkXeQ2nMqKY+2BpL0+10qsP6TdrlQFj/M2VOoxtNgI
/tokgvps1DC7XTu1JbDtY0u+7WugTTAaer2ZKSMuNpDtE/2+qADjFuP/XQuRjTQ+
vQj9SmzNN4+HC23unSzNU7LMNsB7+g==
=bcsD
-----END PGP SIGNATURE-----

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to:

References:
- Only using masquerading on internet facing server
  - From: john doe <johndoe65534@mail.com>
- Re: Only using masquerading on internet facing server
  - From: Stefan Monnier <monnier@iro.umontreal.ca>
- Re: Only using masquerading on internet facing server
  - From: john doe <johndoe65534@mail.com>
- Re: Only using masquerading on internet facing server
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: Only using masquerading on internet facing server
Next by Date: Re: Only using masquerading on internet facing server
Previous by thread: Re: Only using masquerading on internet facing server
Next by thread: Re: Only using masquerading on internet facing server
Index(es):
- Date
- Thread