IPtables router / gateway

Harry Hoffman hhoffman at ip-solutions.net
Fri Jul 8 18:53:25 UTC 2011 

Hi Steve,

I think you are over-thinking this problem...

If I understand you correctly (and please correct me if I'm wrong), you
want to act purely as a router. That is to pass traffic from one IP
Address to the next without any manipulation of the addresses (SNAT/DNAT).

You have a setup that looks something like:

ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS

Where all are public ip addresses.

In order to accomplish this all that you need to do is setup ip
forwarding on your linux gateway and then pass all forwarded packets.
You don't want to do any SNAT/DNAT at all.

Ensure that you have the following line in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

Then ensure that /etc/sysconfig/iptables allows forwarding:
*filter
...
:FORWARD ACCEPT [0:0]
...


eth0 should be a different subnet then eth1. And since you already have
your clients setup to use eth1 as the default gateway then eth0 just
needs to know where to send things that aren't on it's own network.

Does this make sense?

Cheers,
Harry


On 07/08/2011 01:24 PM, Steven Buehler wrote:
> 
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Harry Hoffman
>> Sent: Friday, July 08, 2011 8:24 AM
>> To: General Red Hat Linux discussion list
>> Subject: Re: IPtables router / gateway
>>
>> You need to change the default gateway on your servers to be the new Linux
>> box and then use a interior routing protocol on that box to talk to its
> next hop
>> router or setup static routes.
>> Cheers,
>> Harry
>>
>> Steven Buehler <steve at ibushost.com> wrote:
>>
>>> I am running some servers in a data center and I have now been informed
>>> that since I have a Class C of IP's, that I have to be my own gateway
>>> as they are making some changes because of a buyout.  I have an extra
>>> server with 2 nics to do this with, but everything I can find on the
>>> internet for iptables is for NATing public IP's on eth0 to local IP's
>>> through eth1.  I can do that as I have for another company forwarding
>> remote IP's to the LAN IP address of a
>>> server.   I need this server to be setup with the 22.22.22.1 IP as the
>>> gateway and forward all other IP's in that netblock to the internal
>>> interface and allow all of those machines total access to the internet
>>> through this server as the gateway and don't want to use NAT as some of
>>> the software I am running would have MAJOR problems with that.  Plus, I
>>> don't want to have to change all of the IP's that are already on the
>>> other servers using the provider as the gateway.
>>>
> 
> Ok, so if my linux box is the gateway of 22.22.22.1.  My other servers are
> already setup to use 22.22.22.1 as the default gateway, but at the moment I
> am NOT my own default gateway.  I have to get my script correct first so
> that the server is ready when the upstream provider switches me.  Here is my
> script to set it up.  Can you see anything that is missing?  I am sure that
> I have the forwarding rules wrong as I want anything coming from one of my
> servers to look like it is coming from it's IP (Example 22.22.22.28) and not
> from the gateway IP.  If I read correctly, the MASQUERADE would make all of
> the IP's look like the gateway IP, correct?  Anyway, here is my script for
> the linux box to use as  gateway router.  My internal LAN address for eth1
> is 192.168.3.12 but all of my internal servers need to use the public IP
> that I have assigned to them.  Some of my internal servers only have one NIC
> on them (old).
> 
> #!/bin/sh
> #
> # To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0
> to 1 for
> # net.ipv4.ip_forward = 1
> # The location of the iptables and kernel module programs
> IPTABLES=/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> GREP=/bin/grep
> AWK=/bin/awk
> SED=/bin/sed
> 
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> EXTIF="eth0"
> INTIF="eth1"
> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> echo "   External Interface:  $EXTIF $EXTIP"
> echo "   Internal Interface:  $INTIF $INTIP"
> 
> 
> echo -en "   loading modules: "
> 
> # Need to verify that all modules have all required dependencies
> #
> echo "  - Verifying that all kernel modules are ok"
> $DEPMOD -a
> 
> echo
> "----------------------------------------------------------------------"
> 
> #Load the main body of the IPTABLES module - "iptable"
> echo -en "ip_tables, "
> $MODPROBE ip_tables
> 
> #Load the stateful connection tracking framework - "ip_conntrack"
> echo -en "ip_conntrack, "
> $MODPROBE ip_conntrack
> 
> #Load the FTP tracking mechanism for full FTP tracking
> echo -en "ip_conntrack_ftp, "
> $MODPROBE ip_conntrack_ftp
> 
> #Load the IRC tracking mechanism for full IRC tracking
> echo -en "ip_conntrack_irc, "
> $MODPROBE ip_conntrack_irc
> 
> #Load the general IPTABLES NAT code - "iptable_nat"
> echo -en "iptable_nat, "
> $MODPROBE iptable_nat
> 
> #Loads the FTP NAT functionality into the core IPTABLES code
> echo -en "ip_nat_ftp, "
> $MODPROBE ip_nat_ftp
> 
> echo -en "ipt_masquerade, "
> $MODPROBE ipt_MASQUERADE
> 
> #Loads the IRC NAT functionality into the core IPTABLES code
> # Required to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> echo -e "ip_nat_irc"
> $MODPROBE ip_nat_irc
> 
> echo
> "----------------------------------------------------------------------"
> 
> echo -e "   Done loading modules.\n"
> 
> #CRITICAL:  Enable IP forwarding since it is disabled by default since
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> #Clearing any previous configuration
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> #$IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> 
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
> 22 -j ACCEPT
> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> 
> 
> ############################################################################
> ###
> # PUT FORWARDING RULES BELOW.  YOU NEED A FORWARD AND PREROUTING FOR EACH
> ONE #
> ############################################################################
> ###
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> echo "   FWD: Allow all connections OUT and only existing and related ones
> IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $INTIF"
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
> 
> ########################
> # END FORWARDING RULES #
> ########################
> 
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited
> 
> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>   
> echo -e "\ndone.\n"
>   
>   
>

More information about the redhat-list mailing list