Configuring iptables on a couple "routing" machines.

MikeDawg · 07-30-2007, 04:13 PM

Hi folks,

I was hoping someone could help me out with IPTables and some issues I've been running into. I have a somewhat confusing setup that I'm working on, and I'm getting confused with it at the same time.

I have two subnets of machines, 10.1.0.0/24 and 10.3.0.0/24 at two different locations.

I recently installed a long-range wireless antennas to bridge the two sites together.

There is a server at either side that I would like to handle the routing of traffic between these two subnets.

Server #1 (10.1.0.0/24 subnet) IP address (eth0) of 10.1.0.1 and an IP address of (eth1)192.168.1.1 for the wireless bridge.

Server #2 (10.3.0.0/24 subnet) IP address of (eth0) 10.3.0.2 and an IP address of (eth1) 192.168.1.2 for the wireless bridge.

I'm trying to route all subnet traffic over these machines, as well, as I'd like to send all outgoing (internet-bound) traffic from the 10.3.0.0/24 subnet over to the outbound interface of the 10.1.0.0/24 subnet.

I have all the routes taken care of, and set up properly, now I just have to configure iptables properly.

I thought the following lines would work to configure NAT on the machines, but it doesn't seem to be working properly, anyone have any ideas on how to setup iptables properly?

Server #1 iptables:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1/32 --to-source 10.1.0.1

Server #2 iptables:
iptables -t nat -A POSTROUTING -o eth1 -j SNAT -s 192.168.1.1/32 --to-source 10.3.0.2

I thought these rules should work, but they don't seem to be working properly.

Thanks for the help

acid_kewpie · 07-30-2007, 04:36 PM

why do you want to nat these networks?? within a LAN you appear to have full control over, you'd want to properly route these bad boys, not nat them at all. you just need a return route back to the router they came from, which you would clearly have the ability to implement from what you've said.

MikeDawg · 07-30-2007, 04:40 PM

Quote:

Originally Posted by acid_kewpie

why do you want to nat these networks?? within a LAN you appear to have full control over, you'd want to properly route these bad boys, not nat them at all. you just need a return route back to the router they came from, which you would clearly have the ability to implement from what you've said.

Well, I'm just trying to figure out what is going on, why I can't properly talk to the 10.1.0.0/24 machines when I'm on the 10.3.0.0/24 subnet.

For instance, I'm at 10.3.0.26, and I have 10.3.0.2 as my default route, and the route for 10.1.0.0/24. I get reported pings when I try and ping a machine on the 10.1 network, for instance 10.1.0.11, however, when I try and connect to the machine over ssh or telnet, it won't allow me, then if I change my route to the previous route, and don't go through that bridge, then I am able to connect via ssh and all the other protocols.

From the tcpdumps I've been reading, it definetely appears that my packets are reaching the machines, however they don't know how to send them back.

There just seems to be some problem with my iptables line, that I can't quite figure out.

The routes are correct, I think the confusion I'm having is about how to work with the 192 vs. 10 networks.

Do my iptable lines look correct?

acid_kewpie · 07-31-2007, 12:59 AM

well the lines look OK, but to get the same result you should actually use the masquerade target, not a normal snat. but i still really don't think you should be wanting or attempting to snat a single thing, but just using standard routing instead.

dangquocthinh2004 · 07-31-2007, 03:52 AM

Please help I, How do config networking of linux red hat 6

acid_kewpie · 07-31-2007, 07:06 AM

please don't hijack other threads. and how do you configure redhat 6? you don't. get something less that 6 years obsolete.

MikeDawg · 07-31-2007, 11:12 AM

Quote:

Originally Posted by acid_kewpie

well the lines look OK, but to get the same result you should actually use the masquerade target, not a normal snat. but i still really don't think you should be wanting or attempting to snat a single thing, but just using standard routing instead.

Thanks Acid, I thought I would need to use iptables and SNAT in order to translate the route, but you were right, that wasn't necessary. Thanks for your help!

Mike

MikeDawg · 08-02-2007, 04:37 PM

Ok, I just have one more question related to this task. Everything seems to be up and going, and finishing things off, I have one more problem.

On the two servers that are doing the routing, that is 10.1.0.1 and 10.3.0.2, I'm unable to get to the opposite subnet.

For instance, on 10.1.0.1, I'm unable to get to any of the machines on the 10.3.0.0/24 subnet, and on 10.3.0.2 I'm unable to get to the 10.1.0.0/24 subnet.

I finally figured out how to ping to the other subnet, using: ping -I eth0 10.1.0.20 and conversely for the server at 10.3.0.2

How do I configure these servers to use a particular interface for their own communication?

Thanks

Mike

jlinkels · 08-02-2007, 06:50 PM

You have to add this to the route table of 10.1.0.1

route add -net 10.3.0.0/24 gw 192.168.1.2

and this to 10.3.0.2:

route add -net 10.1.0.0/24 gw 192.168.1.1

You don't need to specify on which interface packets go out. The IP routing sorts that out itself. It is essential that on each router you specify the wireless IF at the OTHER and. On each client you have to put as default gw the router on their OWN site.

Usually some forwarding rule in iptables is being forgotten. Check /var/log/messages to see it that is the case if it doesn't work.

jlinkels