Hello.

I am trying to run a firewall to separate two lans, but can't get traffic forwarded from lan to lan. Here's part of the iptables:

I am using Lenny with the default kernel: 2.6.24-1-686

I have this set:
net.ipv4.conf.default.forwarding=1

EXT_IFACE="eth0"
LAN_IFACE="eth1"

EXT_IP="192.168.1.2"
LAN_IP="192.168.2.1"
UNIVERSE="0.0.0.0/0"

LAN_ADDRESSES="192.168.2.0/24"
LAN_NETWORK="192.168.2.0"

# Allow established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Forward from and to the LAN
iptables -A FORWARD -i $LAN_IFACE -o $EXT_IFACE -p tcp \
-s $LAN_ADDRESSES --sport $UNPRIVPORTS --dport 22 \
-m state --state NEW -j ACCEPT

This is the routing table:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0


That should be enough, I think, to forward from private lan to EXT. Do I need MASQ or what else?

Thanks.

Here is a link to a NAT HOWTO that should help you figure out what you need to do next.

My confusion is if I really need to nat the traffic between the two lans. Would a simple FORWARDing work? I don't have any servers running that need to be accessed from the internet. Simple as:

internet ----------- router ------------ lan

Thanks.

Ok.

I finally got my script working by adding this:

iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

That was all I needed.

Thank you.