Masquerading (NAT) with iptables and multiple public IPs

Al3c5 · Oct 28, 2021

Hi guys,

I have a server with 1 physical interface and 2 IPs. I'd like to use 1 bridge+NAT per public IP.

I use the following /etc/network/interface

Code:

# The primary network interface
auto eno1
iface eno1 inet static
        address 193.161.118.14/24
        gateway 193.161.118.1


# 2nd interface
auto eno1:0
iface eno1:0 inet static
        address 193.161.118.25/24
#        gateway 193.161.118.1




auto vmbr0
iface vmbr0 inet static
        address 10.10.10.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o eno1 -j MASQUERADE

auto vmbr1
iface vmbr1 inet static
        address 10.10.11.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.11.0/24' -o eno1:0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '10.10.11.0/24' -o eno1:0 -j MASQUERADE

Also here is my /etc/ufw/before.rules config

Code:

#NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic through eth0 - Change to public network interface
-F POSTROUTING
-A POSTROUTING -s 10.10.10.0/24 -o eno1  -j MASQUERADE
-A POSTROUTING -s 10.10.11.0/24 -o eno1:0  -j MASQUERADE

#setup VMs port forwarding
:PREROUTING ACCEPT [0:0]
-F PREROUTING

Subnet 10.10.10.0/24 works while subnet 10.10.11.0/24 can't reach internet (but can ping any VM in 10.10.10.0/24 and 10.10.11.0/24).

I tried to add the gateway to alias eno1:0 => the exact same result.

How can I solve this problem?

Al3c5 · Nov 1, 2021

I made it work with 1 bridge:

Code:

auto vmbr0
iface vmbr0 inet static
        address 10.10.10.99/24
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

        post-up  echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.0/29' -o eno1 -j  SNAT --to-source 111.111.198.14
        post-up  iptables -t nat -A POSTROUTING -s '10.10.10.8/29' -o eno1 -j  SNAT --to-source 111.111.198.24
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/29' -o eno1 -j  SNAT --to-source 111.111.198.14
        post-down iptables -t nat -D POSTROUTING -s '10.10.10.8/29' -o eno1 -j  SNAT --to-source 111.111.198.24

and replacing MASQUERADE by SNAT (not sure it works without)

Code:

-F POSTROUTING

-A POSTROUTING -s 10.10.10.0/29 -o eno1  -j SNAT --to-source 111.111.198.14
-A POSTROUTING -s 10.10.10.8/29 -o eno1  -j SNAT --to-source 111.111.198.24

-F PREROUTING
-A PREROUTING -i eno1 -d 111.111.198.14 -p tcp --dport 11080 -j DNAT --to-destination 10.10.10.1:80
-A PREROUTING -i eno1 -d 111.111.198.24 -p tcp --dport 11080 -j DNAT --to-destination 10.10.10.8:80

ndcast · Oct 26, 2023

Thanks Al3c5 , gimme an lnbtc or cosmos addy , you deserve a coffee mate.

Search

Search

Masquerading (NAT) with iptables and multiple public IPs

Al3c5

New Member

Al3c5

New Member

ndcast

New Member

We value your privacy