0

I have router - G, my desktop - D, laptop - L. I want to connect L to the internet via D.

G at 192.168.1.1

D: enp1s0 - 192.168.1.2/24, gw G, eno1 - 10.0.0.1/16, serves as a router for L

L: enp1s0 - 10.0.0.2, gw 10.0.0.1. Routing tables at L:

netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG        0 0          0 enp1s0
10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0 enp1s0
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0

Packet forwarding at D enabled:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

However L doesn't connect to the internet:

traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  10.0.0.1 (10.0.0.1)  0.346 ms  0.339 ms *
 2  10.0.0.1 (10.0.0.1)  0.370 ms !X * *

It's obvious that L's packets can reach D but they could pass no farther.

However, L connects when I enable masquerading on D:

firewall-cmd --zone=public --add-masquerade=yes
success

Can you explain, why L connects to the internet only when masquerading on D's interface(that is connected to L directly) is enabled?

1 Answers1

1

The reason you need MASQUERADE is because of the way NAT works.

Consider your router, G. It gets an IP from the Internet Service Provider. That IP address is what all systems behind the router go out to the Internet over, so all systems are masquerading as that IP address. (Which is how routers work, in residential basic setups).

Your computer D, acting as a NAT gateway for your laptop, L, is bound to the same rules of how Internet works. Ideally, what you'd be doing is having at least one internal IP address, and when it requests a resource other than the other computers in that subnet, it requires the ability to masquerade the packets from L as the internal IP address of D, in order to properly route packets through G.

This is also the case with using a computer as a VPN server; to go out to the rest of the network or specifically an external network, you need to masquerade as that server's IP address.

This is just how NAT works. The same applies to proxies, etc.

Thomas Ward
  • 78,878