iptables? issue

Mike Wright mike.wright at mailinator.com
Mon Feb 13 22:22:18 UTC 2012 

On 02/13/2012 11:34 AM, nullv at gmx.com wrote:
> Hi,
> I'm hoping that you can point out what i'm missing here. I have a server
> (router0) with a public ip 41.123.234.74/29 that's using an internet
> modem 41.123.234.73/29 as a gateway. the server (router0) also has a
> second card used for lan comms where it has ip address 10.0.0.1/8.
> addresses are broadcast via dhcp along with DNS and gateway settings and
> everything works perfectly when i MASQUERADE the local ips to the wan
> address with iptables.
> The issue is this: i'm trying to set up another server (db0) behind
> router0 on the lan side and want to have it's packets go the my router0
> gateway and be forwarded to the internet side and vice versa. db0 has an
> address 41.123.234.75/29 with .74 set as the gateway. if i set up my
> addressing on db0 using lan addresses and 10.0.0.1 my db0 server can
> connect and everything but if i use the wan address i can't connect even
> to the 41.123.234.74/29 router0 address. i had inserted the following
> rule to my tables forward chain:
> iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
> to allow public packets from either side to be forwarded to both sides
> but i can't seem to get the boxes to through to each other.
> Can anyone tell me were i'm getting it wrong?
> Thanks in advance
>
>

Hi nullv,

I use this layout successfully.  If you want more than one subnet a 
simple switch plugged into eth1 allows adding more than one box/subnet.

# your /29
# 41.123.234.72/32 NETWORK
# 41.123.234.73/32 GATEWAY
# 41.123.234.74/32 WAN1
# 41.123.234.75/32 WAN2
# 41.123.234.76/32 WAN3
# 41.123.234.77/32 WAN4
# 41.123.234.78/32 WAN5
# 41.123.234.79/32 BROADCAST

### iptables rules

# define custom chains and zero connection counts
:WAN1 - [0:0]
:WAN2 - [0:0]
:WAN3 - [0:0]
:WAN4 - [0:0]
:WAN5 - [0:0]

# inbound connections
-A PREROUTING -d 41.123.234.74/32 -j WAN1
-A PREROUTING -d 41.123.234.75/32 -j WAN2
-A PREROUTING -d 41.123.234.76/32 -j WAN3
-A PREROUTING -d 41.123.234.77/32 -j WAN4
-A PREROUTING -d 41.123.234.78/32 -j WAN5

# pick one of your WAN IPs for outbound connections
-A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74

# this will map inbound WAN IP:PORT to various internal servers
# NAT can point to different networks
-A WAN1 -p tcp -m tcp --dport 80   -j DNAT --to-destination 10.0.0.1
-A WAN1 -p tcp -m tcp --dport 443  -j DNAT --to-destination 10.5.0.2
-A WAN2 -p tcp -m tcp --dport 80   -j DNAT --to-destination 192.16.7.3
-A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4
-A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5
-A WAN3 -p tcp -m tcp --dport 80   -j DNAT --to-destination 172.44.2.6
-A WAN4 -p tcp -m tcp --dport 80   -j DNAT --to-destination 10.9.3.7
-A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8

# add rules to allow access to services on the router
-A INPUT ...

# add rules to allow/deny access between subnets
-A FORWARD ...

Hope this applies to your situation,
Mike Wright

More information about the users mailing list