IPtables router / gateway

Steven Buehler steve at ibushost.com
Fri Jul 8 19:12:35 UTC 2011 

Makes perfect since.  Thank you SOOOOOOOO much.  I am headed to the data
center now to put this into place.

> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Harry Hoffman
> Sent: Friday, July 08, 2011 1:53 PM
> To: General Red Hat Linux discussion list
> Subject: Re: IPtables router / gateway
> 
> Hi Steve,
> 
> I think you are over-thinking this problem...
> 
> If I understand you correctly (and please correct me if I'm wrong), you
want
> to act purely as a router. That is to pass traffic from one IP Address to
the
> next without any manipulation of the addresses (SNAT/DNAT).
> 
> You have a setup that looks something like:
> 
> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS
> 
> Where all are public ip addresses.
> 
> In order to accomplish this all that you need to do is setup ip forwarding
on
> your linux gateway and then pass all forwarded packets.
> You don't want to do any SNAT/DNAT at all.
> 
> Ensure that you have the following line in /etc/sysctl.conf:
> net.ipv4.ip_forward = 1
> 
> Then ensure that /etc/sysconfig/iptables allows forwarding:
> *filter
> ...
> :FORWARD ACCEPT [0:0]
> ...
> 
> 
> eth0 should be a different subnet then eth1. And since you already have
> your clients setup to use eth1 as the default gateway then eth0 just needs
to
> know where to send things that aren't on it's own network.
> 
> Does this make sense?
> 
> Cheers,
> Harry
> 
> 
> On 07/08/2011 01:24 PM, Steven Buehler wrote:
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> >> bounces at redhat.com] On Behalf Of Harry Hoffman
> >> Sent: Friday, July 08, 2011 8:24 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: Re: IPtables router / gateway
> >>
> >> You need to change the default gateway on your servers to be the new
> >> Linux box and then use a interior routing protocol on that box to
> >> talk to its
> > next hop
> >> router or setup static routes.
> >> Cheers,
> >> Harry
> >>
> >> Steven Buehler <steve at ibushost.com> wrote:
> >>
> >>> I am running some servers in a data center and I have now been
> >>> informed that since I have a Class C of IP's, that I have to be my
> >>> own gateway as they are making some changes because of a buyout.  I
> >>> have an extra server with 2 nics to do this with, but everything I
> >>> can find on the internet for iptables is for NATing public IP's on
> >>> eth0 to local IP's through eth1.  I can do that as I have for
> >>> another company forwarding
> >> remote IP's to the LAN IP address of a
> >>> server.   I need this server to be setup with the 22.22.22.1 IP as the
> >>> gateway and forward all other IP's in that netblock to the internal
> >>> interface and allow all of those machines total access to the
> >>> internet through this server as the gateway and don't want to use
> >>> NAT as some of the software I am running would have MAJOR problems
> >>> with that.  Plus, I don't want to have to change all of the IP's
> >>> that are already on the other servers using the provider as the
gateway.
> >>>
> >
> > Ok, so if my linux box is the gateway of 22.22.22.1.  My other servers
> > are already setup to use 22.22.22.1 as the default gateway, but at the
> > moment I am NOT my own default gateway.  I have to get my script
> > correct first so that the server is ready when the upstream provider
> > switches me.  Here is my script to set it up.  Can you see anything
> > that is missing?  I am sure that I have the forwarding rules wrong as
> > I want anything coming from one of my servers to look like it is
> > coming from it's IP (Example 22.22.22.28) and not from the gateway IP.
> > If I read correctly, the MASQUERADE would make all of the IP's look
> > like the gateway IP, correct?  Anyway, here is my script for the linux
> > box to use as  gateway router.  My internal LAN address for eth1 is
> > 192.168.3.12 but all of my internal servers need to use the public IP
> > that I have assigned to them.  Some of my internal servers only have one
> NIC on them (old).
> >
> > #!/bin/sh
> > #
> > # To make sure that forwarding stays on, edit /etc/sysctl.conf and
> > change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the
> > iptables and kernel module programs IPTABLES=/sbin/iptables
> > DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> > GREP=/bin/grep AWK=/bin/awk SED=/bin/sed
> >
> > #Setting the EXTERNAL and INTERNAL interfaces for the network
> > EXTIF="eth0"
> > INTIF="eth1"
> > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > echo "   External Interface:  $EXTIF $EXTIP"
> > echo "   Internal Interface:  $INTIF $INTIP"
> >
> >
> > echo -en "   loading modules: "
> >
> > # Need to verify that all modules have all required dependencies #
> > echo "  - Verifying that all kernel modules are ok"
> > $DEPMOD -a
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > #Load the main body of the IPTABLES module - "iptable"
> > echo -en "ip_tables, "
> > $MODPROBE ip_tables
> >
> > #Load the stateful connection tracking framework - "ip_conntrack"
> > echo -en "ip_conntrack, "
> > $MODPROBE ip_conntrack
> >
> > #Load the FTP tracking mechanism for full FTP tracking echo -en
> > "ip_conntrack_ftp, "
> > $MODPROBE ip_conntrack_ftp
> >
> > #Load the IRC tracking mechanism for full IRC tracking echo -en
> > "ip_conntrack_irc, "
> > $MODPROBE ip_conntrack_irc
> >
> > #Load the general IPTABLES NAT code - "iptable_nat"
> > echo -en "iptable_nat, "
> > $MODPROBE iptable_nat
> >
> > #Loads the FTP NAT functionality into the core IPTABLES code echo -en
> > "ip_nat_ftp, "
> > $MODPROBE ip_nat_ftp
> >
> > echo -en "ipt_masquerade, "
> > $MODPROBE ipt_MASQUERADE
> >
> > #Loads the IRC NAT functionality into the core IPTABLES code #
> > Required to support NAT of IRC DCC requests # # Disabled by default --
> > remove the "#" on the next line to activate # echo -e "ip_nat_irc"
> > $MODPROBE ip_nat_irc
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > echo -e "   Done loading modules.\n"
> >
> > #CRITICAL:  Enable IP forwarding since it is disabled by default since
> > echo "   Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > #Clearing any previous configuration
> > echo "   Clearing any existing rules and setting default policy.."
> > $IPTABLES -P INPUT ACCEPT
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > #$IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> >
> > $IPTABLES -A INPUT -i lo -j ACCEPT
> > $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport
> > --dports
> > 22 -j ACCEPT
> > $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> >
> >
> >
> ##########################################################
> ############
> > ######
> > ###
> > # PUT FORWARDING RULES BELOW.  YOU NEED A FORWARD AND
> PREROUTING FOR
> > EACH ONE #
> >
> ##########################################################
> ############
> > ######
> > ###
> >
> > echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > echo "   FWD: Allow all connections OUT and only existing and related
ones
> > IN"
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o
> $EXTIF
> > -j ACCEPT $IPTABLES -A FORWARD -j LOG
> >
> > echo "   Enabling SNAT (MASQUERADE) functionality on $INTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
> >
> > ########################
> > # END FORWARDING RULES #
> > ########################
> >
> > $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >
> > $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > echo -e "\ndone.\n"
> >
> >
> >
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list