System Administration & Network Administration
linux iptables routing ip-forwarding masquerade
Updated Sun, 23 Oct 2022 03:00:16 GMT

It is okay to set MASQUERADE at 2 network interfaces in a Linux server?


There is a Linux server with 3 network interfaces, eth0, eth1, eth2. IP forwarding has been turn on in this server.

  1. eth0 is connected to 10.0.1.0/24. Its IP is 10.0.1.1.
  2. eth1 is connected to 172.16.1.0/24. Its IP is 172.16.1.1. Server A can ping router C at 172.16.1.2.
  3. eth2 is connected to 192.168.1.0/24. Its IP is 192.168.1.1. Server A can ping server B at 192.168.1.2.
  4. Router C is able to route to 172.16.2.0/24 and 172.16.3.0/24.
                                          [10.0.1.0/24]
                                                |
172.16.2.0/24------|                            |
                   [C]------172.16.1.0/24------[A]------192.168.1.0/24------[B]
172.16.3.0/24------|

We have set MASQUERADE at eth0. When server B (192.168.1.2) connect to 10.0.1.0/24, IP MASQUERADE will happen at eth0.

Can we set MASQUERADE at eth1? Is it okay to set MASQUERADE at more than 1 network interfaces in Linux?




Solution

Yes, it's fine to have multiple MASQUERADE rules. Typically, each rule will match packets going out a specific interface, for example:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

The first rule matches packets going out eth0, while the second one matches packets going out eth1.