Network Routing from eth0 to eth1

SernOne · 10-16-2012, 04:26 PM

Hey everyone I have a question , what would be the best way to route all traffic coming in from eth1 to eth0.

eth0 = 192.168.1.11
eth1 = 10.0.0.1

There is in coming traffic to eth1 from another server which is 10.0.0.10 , i can ping the 192.168.1.11 address but it stops there. How can I make sure to route all traffic coming in on eth1 and route it to go out of eth0.

Basicly this box is going to be a firewall/router.

Thank you for the help

GlennsPref · 10-16-2012, 06:03 PM

Quote:

Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 4 million posts to search it's possible the answer has been given.

Please check portforward.

/etc/sysctl.conf

Code:

.....
net.ipv4.conf.all.forwarding=1
net.ipv4.ip_forward=1
........

HTH, Glenn

SernOne · 10-17-2012, 12:03 AM

I feel kinda silly, OK here is the next problem , I have a web server running on the 10.0.0.0 network, i setup forwarding to that IP for port 80 but this is the error it gives me

root@abby ~]# lynx 10.0.0.10

Looking up 10.0.0.10 first
Looking up 10.0.0.10
Making HTTP connection to 10.0.0.10
Alert!: Unable to connect to remote host.

lynx: Can't access startfile http://10.0.0.10/

But I can do this

[root@abby ~]# ping 10.0.0.10
PING 10.0.0.10 (10.0.0.10) 56(84) bytes of data.
64 bytes from 10.0.0.10: icmp_seq=1 ttl=64 time=2.14 ms

And this

[root@abby ~]# ssh 10.0.0.10
root@10.0.0.10's password:

Here are my firewall rules

PHP Code:



[root@abby ~]# iptables -L -v -n 
Chain INPUT (policy ACCEPT 11140 packets, 1106K bytes) 
 pkts bytes target     prot opt in     out     source               destination 
 
Chain FORWARD (policy ACCEPT 11380 packets, 15M bytes) 
 pkts bytes target     prot opt in     out     source               destination 
 4730  442K ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0 
    0     0 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            10.0.0.10           tcp spt:80 dpt:80 
 
Chain OUTPUT (policy ACCEPT 9723 packets, 1037K bytes) 
 pkts bytes target     prot opt in     out     source               destination

PHP Code:



[root@abby ~]# iptables -t nat -L -n -v 
Chain PREROUTING (policy ACCEPT 4526 packets, 335K bytes) 
 pkts bytes target     prot opt in     out     source               destination 
    2   112 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.0.10 
 
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) 
 pkts bytes target     prot opt in     out     source               destination 
  443 28260 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0 
    0     0 MASQUERADE  tcp  --  *      *       0.0.0.0/0            10.0.0.10           tcp dpt:80 
 
Chain OUTPUT (policy ACCEPT 168 packets, 11263 bytes) 
 pkts bytes target     prot opt in     out     source               destination

Any help would be awesome thank you guys again

SernOne · 10-17-2012, 09:41 AM

OK so now i played around with it for a little bit, and now I can see packets flowing BUT I still can't get to the site from the 192.168.1.0 network or the outside world.

Much help is needed and very much appreciated

PHP Code:



[root@abby ~]# iptables -L -v -n
Chain INPUT (policy ACCEPT 8433 packets, 668K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 86 packets, 13357 bytes)
 pkts bytes target     prot opt in     out     source               destination
  114  6959 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
   46  2244 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            10.0.0.10           tcp dpt:80

Chain OUTPUT (policy ACCEPT 7513 packets, 1390K bytes)
 pkts bytes target     prot opt in     out     source               destination



[root@abby ~]# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 1171 packets, 83029 bytes)
 pkts bytes target     prot opt in     out     source               destination
    7   372 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 to:10.0.0.10:80

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  462 30393 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 386 packets, 25700 bytes)
 pkts bytes target     prot opt in     out     source               destination

SernOne · 10-17-2012, 11:29 AM

OK so next update, I actually had to install HTTPD on my firewall server to have it listening port 80 now it all works fine....

Any idea's on a way around this so I don't have to have this listening on port 80, cause I want the firewall site responding on like 9001 so if i do that it wont forward correctly right?

GlennsPref · 10-17-2012, 05:21 PM

Hi, saddly, I'm not a firewall expert.

That said, you might try easyfwgen and then compare your script to it and see (maybe)

any diffs in the order of rules and possibly a solution.

Quote:

...... generalized it to include a number of features that are commonly used, but it is targeted at single computers or gateways for small private networks. It's designed to easily generate a full-featured iptables configuration script with a variety of the most commonly desired options....

ref. http://easyfwgen.morizot.net/

download here, rather than a website.

I have a squid proxy server and httpd installed (LAMP) and I use a custom fw script.
This maybe obsolete now, But I've had it for years and it seems to work for me.

iptables script,/etc/init.d/atomic.firewall (atomic=Australian PC magazine AtomicMPC)

Code:

#!/bin/sh
#
# Atomic IPTables firewall script v1.2
#
# Simple but effective firewall written for
# the Atomic Uber Linux box guide,
# Issue 21, Oct 2002
#
# Updated May 2003 for bandwidth shaping
#
# Ashton Mills
# amills@iinet.com.au

# Environment variables, change these values accordingly

	EXT_IF=eth0
	INT_IF=eth1
	INT_NET=10.0.0.15/24

	ANY=0.0.0.0/0

	IPTABLES=/sbin/iptables
	MODPROBE=/sbin/modprobe

#
## You shouldn't need to touch anything below here
#

# Load appropriate iptables modules, others will be loaded dynamically on demand

	$MODPROBE ip_tables
	$MODPROBE iptable_filter
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

	echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
	echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo "1600 61000" > /proc/sys/net/ipv4/ip_local_port_range
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

	$IPTABLES -F INPUT
	$IPTABLES -F OUTPUT
	$IPTABLES -F FORWARD
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

#
## --- DEFAULT POLICY --- ##
#

	# Drop everything on INPUT and FORWARD chains, accept OUTPUT

	$IPTABLES -P INPUT DROP
	$IPTABLES -P FORWARD DROP
	$IPTABLES -P OUTPUT ACCEPT

#
## --- INPUT CHAIN --- ##
#

	# Allow Telstra hearbeat -- BPA users uncomment this

	$IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
	$IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT

	# Allow local net browsing avahi/Zeroconf

	$IPTABLES -A INPUT -p udp --sport 3128 -j ACCEPT
	$IPTABLES -A INPUT -p udp --sport 5353 -j ACCEPT

	#Allow bootp port -- Optus and some ADSL users need this

	$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT


	# Allow access to services on this (the gateway) machine


	# SSH
	$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

	# Teamspeak
	$IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT

	# Half Life server
	$IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT

	# FTP
	$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

	# Bittorrent
	$IPTABLES -A INPUT -p tcp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 6881:6969 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 7881 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 8881 -j ACCEPT
	$IPTABLES -A INPUT -p udp --dport 4444 -j ACCEPT
	$IPTABLES -A INPUT -p tcp --dport 51413 -j ACCEPT  #--dport 51413 Transmission-torrent
	$IPTABLES -A INPUT -p udp --dport 51413 -j ACCEPT  #--dport 51413 Transmission-torrent
	# Accept all connections on local and internal interfaces

	$IPTABLES -A INPUT -i lo -j ACCEPT
	$IPTABLES -A INPUT -i $INT_IF -j ACCEPT



	# Accept local connections for webcam
	$IPTABLES -A INPUT -p tcp -m tcp --sport 8081 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8081 -j ACCEPT

	$IPTABLES -A INPUT -p udp -m udp --sport 8081 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 8081 -j ACCEPT
 	# Accept local config for webcam
	$IPTABLES -A INPUT -p tcp -m tcp --sport 8080 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 8080 -j ACCEPT

	$IPTABLES -A INPUT -p udp -m udp --sport 8080 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 8080 -j ACCEPT


	# cups
	$IPTABLES -A INPUT -p tcp -m tcp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p tcp -o tcp --dport 631 -j ACCEPT

	$IPTABLES -A INPUT -p udp -m udp --sport 631 -j ACCEPT

	$IPTABLES -A OUTPUT -p udp -o udp --dport 631 -j ACCEPT

	# Stateful inspection -- Allow packets in from connections already established

	$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT


	# Drop packets from invalid sources (reserved networks and localhost)

	$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
	$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
	$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP


	# Don't log igmp, web or ssl. More noise we don't need to log.

	$IPTABLES -A INPUT -p igmp -j DROP
	$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
	$IPTABLES -A INPUT -p tcp --dport 443 -j DROP


	# Log everything else

	$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#
## -- BANDWIDTH SHAPING  -- ##
#

#
# EGRESS (upstream)
#

	# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

	# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
	$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10

	# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10

	# ICMP (ping)
	$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10

	# SSH
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10

	# Web, SSL
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
	$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

	# ACKs
	$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

	#
	# No need for catchall for class 30, handled by HTB root qdisc initilisation
	#

#
# INGRESS (downstream)
#

	# Only prioritise class 10 traffic

	# Don't police high priority UDP, game, ping and SSH packets
	$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

	# Place other games here
	# EVE online
#	$IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10

	# Catchall, police everything else
	$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

	#
	# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
	# for browsing as many P2P programs, not to mention your HTTP file downloads, will
	# flood the link unpoliced, causing delays with high priority (class 10) packets.
	# Shape HTTP going out, but let it be bulk coming in.
	#
	# Read the note at the end of the atomic.shaper script for more on INGRESS shaping.
	#

#
## --- FORWARD CHAIN --- ##
#

	# Stateful inspection -- Forward in connections already established

	$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state	--state ESTABLISHED,RELATED -j ACCEPT


	#---------------------------------------------------------------
	# Allow outbound DNS queries from the FW and the replies too
	#
	# - Interface eth0 is the internet interface
	#
	# Zone transfers use TCP and not UDP. Most home networks
	# / websites using a single DNS server won't require TCP statements
	#
	#---------------------------------------------------------------

# Printer port
#
# 	$IPTABLES -A INPUT -p udp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
# 	$IPTABLES -A INPUT -p tcp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
# 	$IPTABLES -A INPUT -p udp -i eth1 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
# 	$IPTABLES -A INPUT -p tcp -i eth0 --sport 127.0.0.1:9100 --dport 1024:65535 -j ACCEPT
#
#
# 	$IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
#
# 	$IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#

# Forwards for software running on Windows/Linux machines behind the firewall

	# Kazaa Lite (change destination IP accordingly)

#	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 10.0.0.15
#	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 10.0.0.15 -j ACCEPT

	# Bittorrent

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 6881:6969 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 6881:6969 -d 10.0.0.15 -j ACCEPT
#   #--dport 51413 Transmission-torrent
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 51413 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 51413 -d 10.0.0.15 -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 51413 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 51413 -d 10.0.0.15 -j ACCEPT
	
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 4444 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 4444 -d 10.0.0.15 -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 7881 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 7881 -d 10.0.0.15 -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 7881 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 7881 -d 10.0.0.15 -j ACCEPT

	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p udp --dport 8881 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p udp -i $EXT_IF --dport 8881 -d 10.0.0.15 -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 8881 -j DNAT --to-dest 10.0.0.15
	$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 8881 -d 10.0.0.15 -j ACCEPT

	# Forwards for hosting DirectPlay games

	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 47624 -j DNAT --to-destination 10.0.0.15:47624
	$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400
	$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to-destination 10.0.0.15:2300-2400


	# Forward out all traffic

	$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#

	# Follows policy

#
## --- NAT --- ##
#

	# Enable masquerade

	$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##
#

	$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128

/etc/squid/squid.conf

Code:

http_port 10.0.0.15:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 5000 16 256
cache_store_log none
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
half_closed_clients off
acl manager proto cache_object
acl localhost src 127.0.0.0/8
acl to_localhost dst 127.0.0.0/8
#acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 10.0.0.0/16 # RFC1918 possible internal network
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl mynetwork src 10.0.0.0/16
http_access allow mynetwork
http_access allow localnet
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname squid@GamesBox.GlennsPref.net
append_domain .GamesBox.GlennsPref.net
err_html_text admin@GamesBox.GlennsPref.net
deny_info ERR_CACHE_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on

2 things I'm not sure about are MASQUERADE and Transparent.

HTH, Glenn