0

I have router - G, my desktop - D, laptop - L. I want to connect L to the internet via D.

G at 192.168.1.1

D: enp1s0 - 192.168.1.2/24, gw G, eno1 - 10.0.0.1/16, serves as a router for L

L: enp1s0 - 10.0.0.2, gw 10.0.0.1. Routing tables at L:

netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 enp1s0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0

Packet forwarding at D enabled:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

However L doesn't connect to the internet:

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  10.0.0.1 (10.0.0.1)  0.346 ms  0.339 ms *
 2  10.0.0.1 (10.0.0.1)  0.370 ms !X * *

It's obvious that L's packets can reach D but they could pass no farther.

However, L connects when I enable masquerading on D:

firewall-cmd --zone=public --add-masquerade=yes
success

Can you explain, why L connects to the internet only when masquerading on D's interface(that is connected to L directly) is enabled?

Bulat M.
  • 841
  • 4
  • 14
  • 32
  • 2
    You are using another machine like a router - D acts as the router for L so it needs to allow the traffic outbound as masquerading as D, for L's traffic. – Thomas Ward Jan 05 '17 at 17:18
  • Is there any way to pass packet transparently without altering the source of L's packet? Doesn't it mean that gateway doesn't work without some form of NAT? I have understanding of it but not very clear, so explanations would be highly appreciated. – Bulat M. Jan 05 '17 at 18:13
  • 1
    not really - your system needs NAT to know how to route the request back to L from D from G. The only way around this is jacking into G direct and let it do dhcp and routing and such – Thomas Ward Jan 05 '17 at 23:39

1 Answers1

1

The reason you need MASQUERADE is because of the way NAT works.

Consider your router, G. It gets an IP from the Internet Service Provider. That IP address is what all systems behind the router go out to the Internet over, so all systems are masquerading as that IP address. (Which is how routers work, in residential basic setups).

Your computer D, acting as a NAT gateway for your laptop, L, is bound to the same rules of how Internet works. Ideally, what you'd be doing is having at least one internal IP address, and when it requests a resource other than the other computers in that subnet, it requires the ability to masquerade the packets from L as the internal IP address of D, in order to properly route packets through G.

This is also the case with using a computer as a VPN server; to go out to the rest of the network or specifically an external network, you need to masquerade as that server's IP address.

This is just how NAT works. The same applies to proxies, etc.

Thomas Ward
  • 72,494
  • 30
  • 173
  • 237
  • Could you please explain a bit " jacking into G direct and let it do dhcp and routing and such ", that is what interests me most regarding the question. – Bulat M. Jan 06 '17 at 17:42
  • 1
    @BulatM. How does D connect to G? Does it get the IP from router G dynamically? If so it's the same concept for L, it has to plug into G, if it doesn't want to masquerade as D inside the network. (This is networking 101, and the true mechanisms of NAT and how it works is far too long for a post here) – Thomas Ward Jan 06 '17 at 18:27
  • What does networking 101 mean? Searching showed me various links with different content. – Bulat M. Jan 07 '17 at 10:20