IPtables router / gateway

[Steven Buehler]

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Harry Hoffman
> Sent: Friday, July 08, 2011 8:24 AM
> To: General Red Hat Linux discussion list
> Subject: Re: IPtables router / gateway
> 
> You need to change the default gateway on your servers to be the new Linux
> box and then use a interior routing protocol on that box to talk to its
next hop
> router or setup static routes.
> Cheers,
> Harry
> 
> Steven Buehler <steve at ibushost.com> wrote:
> 
> >I am running some servers in a data center and I have now been informed
> >that since I have a Class C of IP's, that I have to be my own gateway
> >as they are making some changes because of a buyout.  I have an extra
> >server with 2 nics to do this with, but everything I can find on the
> >internet for iptables is for NATing public IP's on eth0 to local IP's
> >through eth1.  I can do that as I have for another company forwarding
> remote IP's to the LAN IP address of a
> >server.   I need this server to be setup with the 22.22.22.1 IP as the
> >gateway and forward all other IP's in that netblock to the internal
> >interface and allow all of those machines total access to the internet
> >through this server as the gateway and don't want to use NAT as some of
> >the software I am running would have MAJOR problems with that.  Plus, I
> >don't want to have to change all of the IP's that are already on the
> >other servers using the provider as the gateway.
> >

Ok, so if my linux box is the gateway of 22.22.22.1.  My other servers are
already setup to use 22.22.22.1 as the default gateway, but at the moment I
am NOT my own default gateway.  I have to get my script correct first so
that the server is ready when the upstream provider switches me.  Here is my
script to set it up.  Can you see anything that is missing?  I am sure that
I have the forwarding rules wrong as I want anything coming from one of my
servers to look like it is coming from it's IP (Example 22.22.22.28) and not
from the gateway IP.  If I read correctly, the MASQUERADE would make all of
the IP's look like the gateway IP, correct?  Anyway, here is my script for
the linux box to use as  gateway router.  My internal LAN address for eth1
is 192.168.3.12 but all of my internal servers need to use the public IP
that I have assigned to them.  Some of my internal servers only have one NIC
on them (old).

#!/bin/sh
#
# To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0
to 1 for
# net.ipv4.ip_forward = 1
# The location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
IFCONFIG=/sbin/ifconfig
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed

#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"
INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"
echo "   External Interface:  $EXTIF $EXTIP"
echo "   Internal Interface:  $INTIF $INTIP"


echo -en "   loading modules: "

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo
"----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the stateful connection tracking framework - "ip_conntrack"
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
echo -en "iptable_nat, "
$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

echo -en "ipt_masquerade, "
$MODPROBE ipt_MASQUERADE

#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
echo -e "ip_nat_irc"
$MODPROBE ip_nat_irc

echo
"----------------------------------------------------------------------"

echo -e "   Done loading modules.\n"

#CRITICAL:  Enable IP forwarding since it is disabled by default since
echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

#Clearing any previous configuration
echo "   Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
#$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
22 -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT


############################################################################
###
# PUT FORWARDING RULES BELOW.  YOU NEED A FORWARD AND PREROUTING FOR EACH
ONE #
############################################################################
###

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo "   FWD: Allow all connections OUT and only existing and related ones
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $INTIF"
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE

########################
# END FORWARDING RULES #
########################

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
$IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited

$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  
echo -e "\ndone.\n"