[CentOS] IPv4 'leaks out onto WAN.

Fri Jun 7 22:31:52 UTC 2013
Peter Brady <subscriptions at simonplace.net>

On 8/06/13 5:03 AM, James B. Byrne wrote:


> Presently we masquerade in a NAT POSTROUTING chain
> which handles the internal hosts seeking addresses on the WAN. 
> However, I am unsure of how to handle the gateway itself.  Is this
> situation best handled by a permanent route reflecting 192.168 to eth1
> only?  Or, is it handled better by an addition to the OUTPUT chain in
> the NAT IPTable?  Or, is the best method something else entirely of
> which I am unaware?

If I recall correctly you would have to have the appropriate routes set
up, namely:

-Default to the WAN interface, which I assume is dynamic because you are
-static to the network/s on and behind eth1
-static to the network/s on and behind eth1:192071
-static routes back to the gateway from any routers behind the internal

then wouldn't the gateway just handle itself.  Masquerading is source
NAT to a dynamic interface therefore all packet mangling is done after
the routing.  Hence, a packet that originates from within the gateway
heading out would bypass the routing chain would use the static routes
to try to exit via the WAN interface and then get caught via the
POSTROUTING rule and be handled by that chain.  Then if it exited
through the WAN interface:

-the world sees it as originating from that interface
-there is a NAT translation left in place so packets coming back would
be mangled back to the correct source.

Alternatively, if the packet originates from the gateway to head
internally it would, again, bypass the routing chain and use the static
routes to decide which interface to exit on.  There would be no NAT
translation left in place because the rules would only apply for
incoming packets looking to exit via the WAN and only remain in place
for the translations they have set up.  Also there would be no need for
NAT as all the internal addresses are routeable as far as a packet that
originates from the gateway is concerned.

An +1 for adding MAC addresses.  I've come across a couple of switches
that prefer multiple MAC addresses for cloned, aliased and tagged
interfaces.  Test and see what you need.


Peter Brady
Email: pdbrady at ans.com.au
Skype: pbrady77

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 946 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20130608/2bf01894/attachment-0004.sig>