Next Previous Contents

6. DOUBLE NAT

6.1 Assign alias IP addresses to the eth0 interfaces of NAT BOX 1 and 2

The key to making this work is to remap the IP addresses you are interested in accessing to a different subnet. For our example, let's say we interested in communicating with address range 192.168.150.10 through 12 on Network 3.

On NAT BOX 1, create 3 new alias interfaces on eth0, e.g.

        ifconfig eth0:0 192.168.180.181 netmask 255.255.255.0
        ifconfig eth0:1 192.168.180.182 netmask 255.255.255.0
        ifconfig eth0:2 192.168.180.183 netmask 255.255.255.0

On NAT BOX 2, create 3 new alias interfaces on eth0, e.g.

        ifconfig eth0:0 10.15.15.181 netmask 255.255.255.0
        ifconfig eth0:1 10.15.15.182 netmask 255.255.255.0
        ifconfig eth0:2 10.15.15.183 netmask 255.255.255.0

6.2 Create Static NAT Mappings on NAT BOX 1

On NAT BOX 1, create 3 new mappings on eth0:

        iptables -t nat -A PREROUTING -d 192.168.180.181 -i eth0 \
                -j DNAT --to-destination 10.15.15.181
        iptables -t nat -A PREROUTING -d 192.168.181.182 -i eth0 \
                -j DNAT --to-destination 10.15.15.182
        iptables -t nat -A PREROUTING -d 192.168.181.183 -i eth0 \
                -j DNAT --to-destination 10.15.15.183

and 1 SOURCE NAT map:

        iptables -A POSTROUTING -s 192.168.150.0/255.255.255.0 \
                -d 10.15.15.0/255.255.255.0 -j SNAT -o eth1 \
                --to-source 10.15.15.1

This takes care of NAT BOX 1, and allows you to talk to NAT BOX 2.

You can test it at this point and make sure that NAT box 1 is set up. Typically ssh'ing to one of the alias addresses will allow you to login to NAT box 2 and make sure you haven't done anything silly. If this works then you are good to go.

6.3 Create Static NAT Mappings on NAT BOX 2

On NAT BOX 2, create 3 new mappings on eth0:

        iptables -t nat -A PREROUTING -d 10.15.15.181 -i eth0 \
                -j DNAT --to-destination 192.168.150.10
        iptables -t nat -A PREROUTING -d 10.15.15.182 -i eth0 \
                -j DNAT --to-destination 192.168.150.11
        iptables -t nat -A PREROUTING -d 10.15.15.183 -i eth0 \
                -j DNAT --to-destination 192.168.150.12

and 1 SOURCE NAT map to our target destinations:

        iptables -A POSTROUTING -s 10.15.15.0/24 \
                -d 192.168.150.0/24 -j SNAT -o eth1 \
                --to-source 192.168.150.252

You should now be done. Now it is possible to access 192.168.150.150 through 152 on network 3 via the addresses 192.168.180.181-183 on network 2 from network 1. I told you it was evil.


Next Previous Contents