Re: NAT to one net, bridge to another

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Mike Williams a écrit :
> 
> At the moment I'm looking at NATting stuff to 3 different zones (private 
> networks), and hopefully bridging to a 4th zone.
> It'll have 10 nics, all paired off into round-robin bonds, so 5 usuable 
> interfaces. 1 colo facing, 3 private, 1 "public".

What interfaces do you plan to bridge ?

> Can you DNAT packets to IPs X, and Y, Z assigned to a bridge, while bridging 
> those IPs not assigned to it?

First, bridging and DNAT don't take place at the same network layer. 
Bridging takes place at layer 2 and DNAT at layer 3 or 4. You bridge 
ethernet frames (possibly transporting IP packets but it doesn't matter) 
  according to their MAC addresses, and this process is transparent for 
the TCP/IP stack. You DNAT IP datagrams (possibly transported in 
ethernet frames) according to their IP addresses and TCP or UDP ports. A 
bridge can be considered as a virtual ethernet switch whose ports are 
the bridged interfaces. On the host, it creates a bridge interface 
"hiding" the bridged interfaces, just as a bond interface hide the 
enslaved interfaces. So the kernel routing and Netfilter/iptables will 
only see packets from the bridge interface, not those from the bridged 
interfaces.

I assume you plan to bridge the "colo" and "public" interfaces.

          colo     public
            |        |
            |        |
         bridge interface
                |
                |
          TCP/IP stack (routing, iptables, NAT, filtering)
             |  |  |
             |  |  |
        private interfaces

The bridge catches incoming ethernet frames before the IP stack can see 
them. So an ethernet frame forwarded from colo to public does not hit 
the IP stack, unless it is an ethernet broadcast.

To try to answer your question, you can DNAT IP datagrams transported by 
ethernet frames which are not bridged to another interface.