Configuring iptables on a couple "routing" machines.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Configuring iptables on a couple "routing" machines.
Hi folks,
I was hoping someone could help me out with IPTables and some issues I've been running into. I have a somewhat confusing setup that I'm working on, and I'm getting confused with it at the same time.
I have two subnets of machines, 10.1.0.0/24 and 10.3.0.0/24 at two different locations.
I recently installed a long-range wireless antennas to bridge the two sites together.
There is a server at either side that I would like to handle the routing of traffic between these two subnets.
Server #1 (10.1.0.0/24 subnet) IP address (eth0) of 10.1.0.1 and an IP address of (eth1)192.168.1.1 for the wireless bridge.
Server #2 (10.3.0.0/24 subnet) IP address of (eth0) 10.3.0.2 and an IP address of (eth1) 192.168.1.2 for the wireless bridge.
I'm trying to route all subnet traffic over these machines, as well, as I'd like to send all outgoing (internet-bound) traffic from the 10.3.0.0/24 subnet over to the outbound interface of the 10.1.0.0/24 subnet.
I have all the routes taken care of, and set up properly, now I just have to configure iptables properly.
I thought the following lines would work to configure NAT on the machines, but it doesn't seem to be working properly, anyone have any ideas on how to setup iptables properly?
Server #1 iptables:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1/32 --to-source 10.1.0.1
Server #2 iptables:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1/32 --to-source 10.3.0.2
I thought these rules should work, but they don't seem to be working properly.
why do you want to nat these networks?? within a LAN you appear to have full control over, you'd want to properly route these bad boys, not nat them at all. you just need a return route back to the router they came from, which you would clearly have the ability to implement from what you've said.
why do you want to nat these networks?? within a LAN you appear to have full control over, you'd want to properly route these bad boys, not nat them at all. you just need a return route back to the router they came from, which you would clearly have the ability to implement from what you've said.
Well, I'm just trying to figure out what is going on, why I can't properly talk to the 10.1.0.0/24 machines when I'm on the 10.3.0.0/24 subnet.
For instance, I'm at 10.3.0.26, and I have 10.3.0.2 as my default route, and the route for 10.1.0.0/24. I get reported pings when I try and ping a machine on the 10.1 network, for instance 10.1.0.11, however, when I try and connect to the machine over ssh or telnet, it won't allow me, then if I change my route to the previous route, and don't go through that bridge, then I am able to connect via ssh and all the other protocols.
From the tcpdumps I've been reading, it definetely appears that my packets are reaching the machines, however they don't know how to send them back.
There just seems to be some problem with my iptables line, that I can't quite figure out.
The routes are correct, I think the confusion I'm having is about how to work with the 192 vs. 10 networks.
well the lines look OK, but to get the same result you should actually use the masquerade target, not a normal snat. but i still really don't think you should be wanting or attempting to snat a single thing, but just using standard routing instead.
well the lines look OK, but to get the same result you should actually use the masquerade target, not a normal snat. but i still really don't think you should be wanting or attempting to snat a single thing, but just using standard routing instead.
Thanks Acid, I thought I would need to use iptables and SNAT in order to translate the route, but you were right, that wasn't necessary. Thanks for your help!
Ok, I just have one more question related to this task. Everything seems to be up and going, and finishing things off, I have one more problem.
On the two servers that are doing the routing, that is 10.1.0.1 and 10.3.0.2, I'm unable to get to the opposite subnet.
For instance, on 10.1.0.1, I'm unable to get to any of the machines on the 10.3.0.0/24 subnet, and on 10.3.0.2 I'm unable to get to the 10.1.0.0/24 subnet.
I finally figured out how to ping to the other subnet, using: ping -I eth0 10.1.0.20 and conversely for the server at 10.3.0.2
How do I configure these servers to use a particular interface for their own communication?
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
You have to add this to the route table of 10.1.0.1
route add -net 10.3.0.0/24 gw 192.168.1.2
and this to 10.3.0.2:
route add -net 10.1.0.0/24 gw 192.168.1.1
You don't need to specify on which interface packets go out. The IP routing sorts that out itself. It is essential that on each router you specify the wireless IF at the OTHER and. On each client you have to put as default gw the router on their OWN site.
Usually some forwarding rule in iptables is being forgotten. Check /var/log/messages to see it that is the case if it doesn't work.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.