first linode:
iface eth0 inet static
address 207.192.*.*
netmask 255.255.255.0
gateway 207.192.72.1
iface eth1 inet static
address 192.168.133.*
netmask 255.255.128.0

echo 1 >/proc/sys/net/ipv4/ip_forward
cat /proc/sys/net/ipv4/ip_forward
result is 1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.128.0/17 -j SNAT --to-source 207.192.*.*(first public ip)


secenod linode:
iface eth0 inet static
address 207.192.*.*
netmask 255.255.255.0
gateway 207.192.72.1
iface eth1 inet static
address 192.168.133.*
netmask 255.255.128.0

route add -net 192.168.128.0/17 gw 192.168.133.*(first private ip)

Below is the route table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
207.192.73.0 * 255.255.255.0 U 0 0 0 eth0
192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1
default gateway37.linod 0.0.0.0 UG 0 0 0 eth0

>>>>This explains that route and gateway is right

ping first-private-ip is ok
ping 207.192.72.1 -I eth1 is ok
traceroute 207.192.72.1 ok
traceroute -i eth0 207.192.72.1 ok
traceroute -i eth1 207.192.72.1 fail


>>>>This explains that Private IP act as gateway for another Private ip has fail!!
>>>>can anybody help me?

in first lindo
iptables --list -t nat

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
nat_in 0 -- anywhere anywhere

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
nat_out 0 -- anywhere anywhere
eth0_masq 0 -- anywhere anywhere
SNAT 0 -- 192.168.128.0/17 anywhere to:207.192.72.*(my ip)
MASQUERADE 0 -- 192.168.128.0/17 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain eth0_masq (1 references)
target prot opt source destination
MASQUERADE 0 -- 192.168.128.0/17 anywhere policy match dir out pol none

Chain nat_in (1 references)
target prot opt source destination
DNAT 0 -- anywhere li36-35.members.linode.com policy match dir in pol none to:192.168.133.*

Chain nat_out (1 references)
target prot opt source destination
SNAT 0 -- 192.168.133.* anywhere policy match dir out pol none to:207.192.72.*

It might help if you explain what you are trying to do with this configuration. And what does your failed traceroute actually output?

My guess is that right now traceroute just fails because it can't find a route in your routing table. When you specify -i eth1 that limits you to:

192.168.128.0 192.168.133.* 255.255.128.0 UG 0 0 0 eth1
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1

Since your destination address is not in the 192.168 subnet it will fail. My guess is you want to specify a secondary default gateway using eth1 and your 192.168 gateway address.

i have disable public ip on second lindo's eth0,defaulu gateway is first linode's private ip,but cant not ping ,traceroute is fail too.

Can you give us a routing table update then?

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.128.0 * 255.255.128.0 U 0 0 0 eth1
default 192.168.133.20 0.0.0.0 UG 0 0 0 eth1

I ssh to second lindo through first lindo.

i make it success very easy on my pc.that only need "apt get install ipmasq" ,
i study the iptables -L result careful? i believe my lindo's iptables'configure is correct.

i have ifconfig down eth0 ,only eth1 is up.

tcpdump record only dispay "arp who has..,reply to...",

is lindo's private network something about arp is disabled?

I just use a one-liner when I do NAT, you might want to try just this to start:

iptables --table nat --append POSTROUTING -s 192.168.0.0/16 -o eth0 -j MASQUERADE

Also you should probably trying turning off all of your iptables NAT stuff and see if you can to a normal ping between linodes. If that doesn't work, NAT won't work for sure.

i have give up.
this is a easy thing in a linux server,but in linode ,it can not.
i ensure there is something is disabled in lindo's private network.

For security reasons, all network interfaces (including the private net) are filtered to only be able to send packets on their own IP addresses.

If you want to masquerade through the private net, you will need to establish an IP-in-IP tunnel. Although I'm not sure why you'd want to.

this is the reason,
but i have remove the second lindo form my account