(dublicate question from AskUbuntu) I have a following network diagram: network diagram
192.168.0.0/24 network with 4 web servers (.1,.2,.3,.4). There are 2 Ubuntu 14.04 (VM1 and VM2) in it. They have 2 physical interfaces both (eth0 and eth1). And a L2TP ethernet tunnel, configured that way:
root@vm1:~# modprobe l2tp_eth
root@vm1:~# ip l2tp add tunnel tunnel_id 1000 peer_tunnel_id 2000 encap udp local 10.0.0.1 remote 10.0.1.1 udp_sport 6000 udp_dport 5000
root@vm1:~# ip l2tp add session tunnel_id 1000 session_id 3000 peer_session_id 4000
root@vm2:~# modprobe l2tp_eth
root@vm2:~# ip l2tp add tunnel tunnel_id 2000 peer_tunnel_id 1000 encap udp local 10.0.1.1 remote 10.0.0.1 udp_sport 5000 udp_dport 6000
root@vm2:~# ip l2tp add session tunnel_id 2000 session_id 4000 peer_session_id 3000
On every VM I have a brigde configured between eth1 (connected to 192.168.0.0 net) and l2tpeth0 interface (the tunnel). In /etc/network/interfaces of VM2:
auto l2tp
iface l2tp inet static
address 192.168.0.6
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
bridge_ports l2tpeth0 eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
Now a server at 192.168.0.5 sends a packet to remote adress of 172.0.0.1. It's path is shown with orange dotted line (it gots captured by brigde and sent via tunnel). My task is to make it follow blue dotted path - got NATted on VM1 and go through eth1 interface. On VM2 I have a simple NAT configured:
iptables -t nat -A POSTROUTING -o eth0 -j LOG
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
But it doesn't help - I don't see packets in questing in /var/log/syslog (there are some though).
Just in case:
root@vm2:~# cat /proc/sys/net/bridge/bridge-nf-call-iptables
1
root@vm2:~# cat /proc/sys/net/ipv4/ip_forward
1
So the question is how to NAT packet destined only to certain destinations? I'm okay that for example traffic from 192.168.0.4 to 192.168.0.1 uses tunnel and doesn't get NATted (that why I have a tunnel in the first place)
The solution was very simple. The configuration showed was ok. But 192.168.0.5 and .6 VMs were not using configured gateway 192.168.0.6 and sent L2 frames to 192.168.0.254 thus not reaching l2tp interface IP stack. These are not standard appliances but Cisco WMS.