It is not clear why you want to give these specific addresses to your middle box. If you just need to pass packets to the other end, there is no need for that, you can use bridging (or optionally proxy-arp).
One valid use case if you want traffic from either end to be directed to an application running locally on the middle box, optionally generating a new application request on the other side, going up and down the full network stack (for instance, say, a userland HTTP proxy). If this is what you want, keep reading.
You cannot configure the middle box like this as-is, because the middle box will not be able to distinguish its local interface on one side, from the remote interface on the other side.
The way I would try to set it up, would be first to chose two new addresses for the middle box, splitting one side into a separate subnet. for instance x.x.x.6/30
(that blocks .4 and .7 as network addresses, from the middle box, and allows .5 for the remote side) and x.x.x.11
for the other side.
Next, enable proxy-ARP for the two relevant interfaces, by adding the following to your interface startup scripts:
echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
for eth0, and
echo 1 >/proc/sys/net/ipv4/conf/eth0/proxy_arp
for eth1. You can also use all
instead of the interface name, if there are no other interfaces on the box. This will have the effect that your middle box will now respond with its own MAC address to arp requests directed at known routable addresses on the other side.
Next, use these four NAT rules to make the box invisible:
iptables -t nat -A PREROUTING -i eth0 -s x.x.x.5 -d x.x.x.10 -j DNAT --to-destination x.x.x.6
iptables -t nat -A POSTROUTING -o eth0 -d x.x.x.5 -s x.x.x.6 -j SNAT --to-source x.x.x.10
iptables -t nat -A PREROUTING -i eth1 -s x.x.x.10 -d x.x.x.5 -j DNAT --to-destination x.x.x.11
iptables -t nat -A POSTROUTING -o eth1 -d x.x.x.10 -s x.x.x.11 -j SNAT --to-source x.x.x.5
This way, you get to use different addresses internally to identify the interfaces of your middle box, but they don't appear in the outside. The process will look like:
- x.x.x.5 makes a direct ARP request for x.x.x.10. This requests arrives on the middle box on eth0.
- middle box notices that x.x.x.10 is routable on eth1, so answers with its own MAC address
- the IP packet to x.x.x.10 gets delivered to middle box on eth0
- DNAT rule in PREROUTING eth0 kicks in and rewrites the destination to x.x.x.6
- local application handles the request to x.x.x.6, issues a separate request to x.x.x.10, the request gets routed to eth1
- SNAT rule in POSTROUTING eth1 kicks in, changes the source address to x.x.x.5
- x.x.x.10 sees the middle box request arriving from x.x.x.5.
- x.x.x.10 wants to reply, issues ARP request for x.x.x.5
- proxy-arp kicks in on eth1, since x.x.x.5 is routable on eth0
- reply goes to middle box, DNAT rule in eth1 kicks in, rewrites the destination to x.x.x.11
- local application handles the response, the original process issues a response from x.x.x.6 to x.x.x.5
- SNAT rule for eth0 kicks in, changes the source address to x.x.x.10
- final response is issued to x.x.x.5