iptables? issue
Mike Wright
mike.wright at mailinator.com
Mon Feb 13 22:45:07 UTC 2012
On 02/13/2012 02:22 PM, Mike Wright wrote:
> On 02/13/2012 11:34 AM, nullv at gmx.com wrote:
>> Hi,
>> I'm hoping that you can point out what i'm missing here. I have a server
>> (router0) with a public ip 41.123.234.74/29 that's using an internet
>> modem 41.123.234.73/29 as a gateway. the server (router0) also has a
>> second card used for lan comms where it has ip address 10.0.0.1/8.
>> addresses are broadcast via dhcp along with DNS and gateway settings and
>> everything works perfectly when i MASQUERADE the local ips to the wan
>> address with iptables.
>> The issue is this: i'm trying to set up another server (db0) behind
>> router0 on the lan side and want to have it's packets go the my router0
>> gateway and be forwarded to the internet side and vice versa. db0 has an
>> address 41.123.234.75/29 with .74 set as the gateway. if i set up my
>> addressing on db0 using lan addresses and 10.0.0.1 my db0 server can
>> connect and everything but if i use the wan address i can't connect even
>> to the 41.123.234.74/29 router0 address. i had inserted the following
>> rule to my tables forward chain:
>> iptables -I FORWARD -s 41.123.234.72/29 -j ACCEPT
>> to allow public packets from either side to be forwarded to both sides
>> but i can't seem to get the boxes to through to each other.
>> Can anyone tell me were i'm getting it wrong?
>> Thanks in advance
>>
>>
>
> Hi nullv,
>
> I use this layout successfully. If you want more than one subnet a
> simple switch plugged into eth1 allows adding more than one box/subnet.
>
> # your /29
> # 41.123.234.72/32 NETWORK
> # 41.123.234.73/32 GATEWAY
> # 41.123.234.74/32 WAN1
> # 41.123.234.75/32 WAN2
> # 41.123.234.76/32 WAN3
> # 41.123.234.77/32 WAN4
> # 41.123.234.78/32 WAN5
> # 41.123.234.79/32 BROADCAST
>
> ### iptables rules
>
> # define custom chains and zero connection counts
> :WAN1 - [0:0]
> :WAN2 - [0:0]
> :WAN3 - [0:0]
> :WAN4 - [0:0]
> :WAN5 - [0:0]
>
> # inbound connections
> -A PREROUTING -d 41.123.234.74/32 -j WAN1
> -A PREROUTING -d 41.123.234.75/32 -j WAN2
> -A PREROUTING -d 41.123.234.76/32 -j WAN3
> -A PREROUTING -d 41.123.234.77/32 -j WAN4
> -A PREROUTING -d 41.123.234.78/32 -j WAN5
>
> # pick one of your WAN IPs for outbound connections
> -A POSTROUTING -o eth0 -j SNAT --to-source 41.123.234.74
>
> # this will map inbound WAN IP:PORT to various internal servers
> # NAT can point to different networks
> -A WAN1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1
> -A WAN1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.5.0.2
> -A WAN2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.16.7.3
> -A WAN2 -p tcp -m tcp --dport 8008 -j DNAT --to-destination 10.5.2.4
> -A WAN2 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.1.2.5
> -A WAN3 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.44.2.6
> -A WAN4 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.9.3.7
> -A WAN5 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 10.192.4.8
>
> # add rules to allow access to services on the router
> -A INPUT ...
>
> # add rules to allow/deny access between subnets
> -A FORWARD ...
Follow up.
Remember to add the GATEWAY IP for each of the inside subnets to eth1
(and to make sure each of your hosts points to the appropriate GATEWAY).
iproute2 is your friend here.
e.g. where x.x.x.254 are the GATEWAYs
ip address add 10.0.0.254/8 dev eth1
ip address add 192.168.7.254/24 dev eth1
...
>
> Hope this applies to your situation,
> Mike Wright
More information about the users
mailing list