LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 12-01-2011, 05:35 PM   #1
roof-us
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Rep: Reputation: Disabled
iptables redirect local ip traffic


My client's lan includes two soho routers, one of which is a Cisco RV042 and the other of which just died. Each of those routers was connected to an ISP provided router (Cisco IAD series) which presents to the company's T1.

Most of the workstations use the RV042 for a gateway. A few machines point to the now-failed soho router.

I don't really want to replace the old soho router and would prefer that all of the machines used the same soho router for a gateway to the Internet.

The problem is that machines that point to the broken soho router are all part of a busted Windows Server domain that now has no server to handle authentication. It is impossible to get admin privileges on these machines. Technician toolkit programs that wack the sam or whatever to handle lost administrative passwords only work on non-domain machines.

I have several linux boxes on this lan and it seems like it shouldn't be too difficult to configure one of those boxes to use iptables to masquerade as the broken gateway device and forward the packets to the single remaining gateway. This would be a temporary measure until I could get rid of those windows workstations for good.

This is a legacy network that I am converting over to pure linux servers and workstations.

Can anyone out there shed some light on how this might be done?

Public Network:
xxx.xxx.xxx.37.16/255.255.255.248

Private lan:
192.168.0.0/255.255.255.0

SOHO ROUTER - NOT BROKEN
wan: xxx.xxx.37.17
lan: 192.168.0.1

SOHO Router - BROKEN
wan: xxx.xxx.37.18
lan: 192.1.0.2

Thanks!
 
Old 12-02-2011, 12:22 AM   #2
ndarkduck
LQ Newbie
 
Registered: Nov 2008
Location: Mex,Mex
Distribution: Fedora || Red Hat Linux
Posts: 28

Rep: Reputation: 7
Quote:
Originally Posted by roof-us View Post
My client's lan includes two soho routers, one of which is a Cisco RV042 and the other of which just died. Each of those routers was connected to an ISP provided router (Cisco IAD series) which presents to the company's T1.

Most of the workstations use the RV042 for a gateway. A few machines point to the now-failed soho router.

I don't really want to replace the old soho router and would prefer that all of the machines used the same soho router for a gateway to the Internet.

The problem is that machines that point to the broken soho router are all part of a busted Windows Server domain that now has no server to handle authentication. It is impossible to get admin privileges on these machines. Technician toolkit programs that wack the sam or whatever to handle lost administrative passwords only work on non-domain machines.

I have several linux boxes on this lan and it seems like it shouldn't be too difficult to configure one of those boxes to use iptables to masquerade as the broken gateway device and forward the packets to the single remaining gateway. This would be a temporary measure until I could get rid of those windows workstations for good.

This is a legacy network that I am converting over to pure linux servers and workstations.

Can anyone out there shed some light on how this might be done?

Public Network:
xxx.xxx.xxx.37.16/255.255.255.248

Private lan:
192.168.0.0/255.255.255.0

SOHO ROUTER - NOT BROKEN
wan: xxx.xxx.37.17
lan: 192.168.0.1

SOHO Router - BROKEN
wan: xxx.xxx.37.18
lan: 192.1.0.2

Thanks!
Hi! I'll asume you have only one ethernet address
Code:
ifconfig eth0 192.1.0.2 netmask 255.255.<subnet_mask> up
echo 1 > /proc/sys/net/ipv4/ip_forward

ip route add default 192.1.0.1

iptables -t filter -I FORWARD -d 192.168.0.0/<prefix> -j ACCEPT
iptables -t filter -I FORWARD -s 192.168.0.0/<prefix> -j ACCEPT

iptables -t nat -I PREROUTING -j MASQUERADE

Last edited by ndarkduck; 12-02-2011 at 12:24 AM.
 
Old 12-02-2011, 04:51 AM   #3
roof-us
LQ Newbie
 
Registered: Dec 2011
Posts: 3

Original Poster
Rep: Reputation: Disabled
Just to be clear - the idea is to get one of the linux workstations on the network to "stand in" on 192.168.0.1 so that the windows boxes can use it as a gateway. The default gw of this linux workstation is 192.168.0.2 and it's ip is, say, 192.168.0.100.

The network is not subnetted. Is the following correct?

ifconfig eth0 192.1.0.2 netmask 255.255.255.0 up <<This is the ip of the working soho router. I'm a bit confused>>
echo 1 > /proc/sys/net/ipv4/ip_forward

ip route add default 192.1.0.1 <<CAN YOU PLEASE EXPLAIN THIS A BIT?>>

iptables -t filter -I FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -I FORWARD -s 192.168.0.0/24 -j ACCEPT

iptables -t nat -I PREROUTING -j MASQUERADE

==
The above code would be run on a linux workstation whose gw=192.168.0.2 and these changes would alias 192.168.0.1 on that same adapter (eth0) - does the "default" in "ip route add default 192.1.0.1" change that?

How can I make the above persistent across reboots?

Finally, what are the commands to "undo" the above when this redirection is no longer needed?

Thanks!


Quote:
Originally Posted by ndarkduck View Post
Hi! I'll asume you have only one ethernet address
Code:
ifconfig eth0 192.1.0.2 netmask 255.255.<subnet_mask> up
echo 1 > /proc/sys/net/ipv4/ip_forward

ip route add default 192.1.0.1

iptables -t filter -I FORWARD -d 192.168.0.0/<prefix> -j ACCEPT
iptables -t filter -I FORWARD -s 192.168.0.0/<prefix> -j ACCEPT

iptables -t nat -I PREROUTING -j MASQUERADE

Last edited by roof-us; 12-02-2011 at 05:10 AM.
 
Old 12-07-2011, 10:56 AM   #4
ndarkduck
LQ Newbie
 
Registered: Nov 2008
Location: Mex,Mex
Distribution: Fedora || Red Hat Linux
Posts: 28

Rep: Reputation: 7
Quote:
Originally Posted by roof-us View Post
Just to be clear - the idea is to get one of the linux workstations on the network to "stand in" on 192.168.0.1 so that the windows boxes can use it as a gateway. The default gw of this linux workstation is 192.168.0.2 and it's ip is, say, 192.168.0.100.
Let me see if I understand you... You want to make this linux act as your router, right? So... you start using it's ip address: 192.168.0.2 so it responds for it
Quote:
The network is not subnetted. Is the following correct?

ifconfig eth0 192.1.0.2 netmask 255.255.255.0 up <<This is the ip of the working soho router. I'm a bit confused>>
The subnet mask is correct
Quote:
echo 1 > /proc/sys/net/ipv4/ip_forward
This is straight forward
Quote:
ip route add default 192.1.0.1 <<CAN YOU PLEASE EXPLAIN THIS A BIT?>>
You are configuring the default gw, I'm sorry i missed 192.168.0.1

Quote:
iptables -t filter -I FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -I FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -I PREROUTING -j MASQUERADE
The nating rules
Quote:
==
The above code would be run on a linux workstation whose gw=192.168.0.2 and these changes would alias 192.168.0.1 on that same adapter (eth0) - does the "default" in "ip route add default 192.1.0.1" change that?

How can I make the above persistent across reboots?
I'm assuming a Redhat like distro (CentOs/Fedora)
Code:
iptables-save > /etc/sysconfig/iptables
system-config-network -> Device configuration -> eth0 -> <<Input IP_Data>> -> OK -> Save -> Save&Quit
sysctl -w net.ipv4_forward=1
Quote:
Finally, what are the commands to "undo" the above when this redirection is no longer needed?

Thanks!
Code:
iptables -t filter -D FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -t filter -D FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -t nat -D PREROUTING -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sysctl -w net.ipv4_forward=0 
echo 0 > /proc/sys/net/ipv4/ip_forward
Sorry for the delay
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using IPTABLES to redirect web traffic to another network. slugman92 Linux - Networking 1 04-20-2011 06:41 PM
[SOLVED] Iptables redirect from one local port to another dr_doom Linux - Networking 2 02-28-2011 11:19 PM
Using Squid/Iptables to redirect inbound web traffic to url/IP winairmvs Linux - Software 2 01-13-2010 12:41 PM
iptables redirect all traffic from external ip to internal ip brb_bart Linux - Networking 1 12-17-2009 07:56 PM
[HELP] redirect traffic to spesific port based on Traffic Content using iptables summersgone Linux - Server 2 06-22-2009 12:26 PM


All times are GMT -5. The time now is 09:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration