IPtables router / gateway

Harry Hoffman hhoffman at ip-solutions.net
Fri Jul 8 19:49:59 UTC 2011 

Steve,

One other thing is that for new incoming traffic you're upstream ISP
will need to know to forward all of your /24 traffic to your linux box
otherwise things won't work.

Cheers,
Harry

On 07/08/2011 03:12 PM, Steven Buehler wrote:
> Makes perfect since.  Thank you SOOOOOOOO much.  I am headed to the data
> center now to put this into place.
> 
>> -----Original Message-----
>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>> bounces at redhat.com] On Behalf Of Harry Hoffman
>> Sent: Friday, July 08, 2011 1:53 PM
>> To: General Red Hat Linux discussion list
>> Subject: Re: IPtables router / gateway
>>
>> Hi Steve,
>>
>> I think you are over-thinking this problem...
>>
>> If I understand you correctly (and please correct me if I'm wrong), you
> want
>> to act purely as a router. That is to pass traffic from one IP Address to
> the
>> next without any manipulation of the addresses (SNAT/DNAT).
>>
>> You have a setup that looks something like:
>>
>> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS
>>
>> Where all are public ip addresses.
>>
>> In order to accomplish this all that you need to do is setup ip forwarding
> on
>> your linux gateway and then pass all forwarded packets.
>> You don't want to do any SNAT/DNAT at all.
>>
>> Ensure that you have the following line in /etc/sysctl.conf:
>> net.ipv4.ip_forward = 1
>>
>> Then ensure that /etc/sysconfig/iptables allows forwarding:
>> *filter
>> ...
>> :FORWARD ACCEPT [0:0]
>> ...
>>
>>
>> eth0 should be a different subnet then eth1. And since you already have
>> your clients setup to use eth1 as the default gateway then eth0 just needs
> to
>> know where to send things that aren't on it's own network.
>>
>> Does this make sense?
>>
>> Cheers,
>> Harry
>>
>>
>> On 07/08/2011 01:24 PM, Steven Buehler wrote:
>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
>>>> bounces at redhat.com] On Behalf Of Harry Hoffman
>>>> Sent: Friday, July 08, 2011 8:24 AM
>>>> To: General Red Hat Linux discussion list
>>>> Subject: Re: IPtables router / gateway
>>>>
>>>> You need to change the default gateway on your servers to be the new
>>>> Linux box and then use a interior routing protocol on that box to
>>>> talk to its
>>> next hop
>>>> router or setup static routes.
>>>> Cheers,
>>>> Harry
>>>>
>>>> Steven Buehler <steve at ibushost.com> wrote:
>>>>
>>>>> I am running some servers in a data center and I have now been
>>>>> informed that since I have a Class C of IP's, that I have to be my
>>>>> own gateway as they are making some changes because of a buyout.  I
>>>>> have an extra server with 2 nics to do this with, but everything I
>>>>> can find on the internet for iptables is for NATing public IP's on
>>>>> eth0 to local IP's through eth1.  I can do that as I have for
>>>>> another company forwarding
>>>> remote IP's to the LAN IP address of a
>>>>> server.   I need this server to be setup with the 22.22.22.1 IP as the
>>>>> gateway and forward all other IP's in that netblock to the internal
>>>>> interface and allow all of those machines total access to the
>>>>> internet through this server as the gateway and don't want to use
>>>>> NAT as some of the software I am running would have MAJOR problems
>>>>> with that.  Plus, I don't want to have to change all of the IP's
>>>>> that are already on the other servers using the provider as the
> gateway.
>>>>>
>>>
>>> Ok, so if my linux box is the gateway of 22.22.22.1.  My other servers
>>> are already setup to use 22.22.22.1 as the default gateway, but at the
>>> moment I am NOT my own default gateway.  I have to get my script
>>> correct first so that the server is ready when the upstream provider
>>> switches me.  Here is my script to set it up.  Can you see anything
>>> that is missing?  I am sure that I have the forwarding rules wrong as
>>> I want anything coming from one of my servers to look like it is
>>> coming from it's IP (Example 22.22.22.28) and not from the gateway IP.
>>> If I read correctly, the MASQUERADE would make all of the IP's look
>>> like the gateway IP, correct?  Anyway, here is my script for the linux
>>> box to use as  gateway router.  My internal LAN address for eth1 is
>>> 192.168.3.12 but all of my internal servers need to use the public IP
>>> that I have assigned to them.  Some of my internal servers only have one
>> NIC on them (old).
>>>
>>> #!/bin/sh
>>> #
>>> # To make sure that forwarding stays on, edit /etc/sysctl.conf and
>>> change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the
>>> iptables and kernel module programs IPTABLES=/sbin/iptables
>>> DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
>> IFCONFIG=/sbin/ifconfig
>>> GREP=/bin/grep AWK=/bin/awk SED=/bin/sed
>>>
>>> #Setting the EXTERNAL and INTERNAL interfaces for the network
>>> EXTIF="eth0"
>>> INTIF="eth1"
>>> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
>>> $SED -e 's/.*://'`"
>>> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' |
>>> $SED -e 's/.*://'`"
>>> echo "   External Interface:  $EXTIF $EXTIP"
>>> echo "   Internal Interface:  $INTIF $INTIP"
>>>
>>>
>>> echo -en "   loading modules: "
>>>
>>> # Need to verify that all modules have all required dependencies #
>>> echo "  - Verifying that all kernel modules are ok"
>>> $DEPMOD -a
>>>
>>> echo
>>> "----------------------------------------------------------------------"
>>>
>>> #Load the main body of the IPTABLES module - "iptable"
>>> echo -en "ip_tables, "
>>> $MODPROBE ip_tables
>>>
>>> #Load the stateful connection tracking framework - "ip_conntrack"
>>> echo -en "ip_conntrack, "
>>> $MODPROBE ip_conntrack
>>>
>>> #Load the FTP tracking mechanism for full FTP tracking echo -en
>>> "ip_conntrack_ftp, "
>>> $MODPROBE ip_conntrack_ftp
>>>
>>> #Load the IRC tracking mechanism for full IRC tracking echo -en
>>> "ip_conntrack_irc, "
>>> $MODPROBE ip_conntrack_irc
>>>
>>> #Load the general IPTABLES NAT code - "iptable_nat"
>>> echo -en "iptable_nat, "
>>> $MODPROBE iptable_nat
>>>
>>> #Loads the FTP NAT functionality into the core IPTABLES code echo -en
>>> "ip_nat_ftp, "
>>> $MODPROBE ip_nat_ftp
>>>
>>> echo -en "ipt_masquerade, "
>>> $MODPROBE ipt_MASQUERADE
>>>
>>> #Loads the IRC NAT functionality into the core IPTABLES code #
>>> Required to support NAT of IRC DCC requests # # Disabled by default --
>>> remove the "#" on the next line to activate # echo -e "ip_nat_irc"
>>> $MODPROBE ip_nat_irc
>>>
>>> echo
>>> "----------------------------------------------------------------------"
>>>
>>> echo -e "   Done loading modules.\n"
>>>
>>> #CRITICAL:  Enable IP forwarding since it is disabled by default since
>>> echo "   Enabling forwarding.."
>>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>>
>>> #Clearing any previous configuration
>>> echo "   Clearing any existing rules and setting default policy.."
>>> $IPTABLES -P INPUT ACCEPT
>>> $IPTABLES -F INPUT
>>> $IPTABLES -P OUTPUT ACCEPT
>>> $IPTABLES -F OUTPUT
>>> #$IPTABLES -P FORWARD DROP
>>> $IPTABLES -F FORWARD
>>> $IPTABLES -t nat -F
>>>
>>> $IPTABLES -A INPUT -i lo -j ACCEPT
>>> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport
>>> --dports
>>> 22 -j ACCEPT
>>> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
>>>
>>>
>>>
>> ##########################################################
>> ############
>>> ######
>>> ###
>>> # PUT FORWARDING RULES BELOW.  YOU NEED A FORWARD AND
>> PREROUTING FOR
>>> EACH ONE #
>>>
>> ##########################################################
>> ############
>>> ######
>>> ###
>>>
>>> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
>>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>>>
>>> echo "   FWD: Allow all connections OUT and only existing and related
> ones
>>> IN"
>>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o
>> $EXTIF
>>> -j ACCEPT $IPTABLES -A FORWARD -j LOG
>>>
>>> echo "   Enabling SNAT (MASQUERADE) functionality on $INTIF"
>>> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
>>>
>>> ########################
>>> # END FORWARDING RULES #
>>> ########################
>>>
>>> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>
>>> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> echo -e "\ndone.\n"
>>>
>>>
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list