What is the correct iptables rule when NATing multiple private subnets?

Jose Mendez asked:

I have a Centos minimal 6.5 acting as a router. eth0 is connected to a Cisco switch trunk port, allowing VLANs 200-213.

I have several VLAN interfaces just as this link suggests:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-networkscripts-interfaces_802.1q-vlan-tagging.html

And have IPv4 forwarding, so all my network devices from any of the networks 200-213 can communicate with each other using this linux box as their router.

Problem is, I need them to access the Internet, so I added the following rule:

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j SNAT --to 1.1.1.56

1.1.1.56 is the “outside” address. This works fine, devices connected to the internal networks can ping Intertnet addresses BUT, they stop being able to talk to each other across subnets, so 192.168.211.55 can ping 8.8.8.8, but can’t talk to 192.168.213.5.

As soon as I do a service iptables restart to remove the rule, I can start talking across internal subnets again.

What would be the correct way to set up NAT for multiple private subnets? Or maybe the correct way to set up forwarding?

My answer:


You also need to specify in your firewall rule the destination interface for the traffic to be NATted. Otherwise it will just attempt to NAT everything, and as you’ve seen, that doesn’t work. You should only be NATing traffic bound for the outside world.

So, let’s say that your default route for all your Internet-bound traffic goes out VLAN 200 (since you didn’t specify), a VLAN dedicated for external traffic. In that case, you’ll add -o eth0.200 to your firewall rule.

iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0.200 -j SNAT --to 1.1.1.56

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.