Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We currently have a bridging iptables firewall set up between our router and our LAN (publicly accessible IPs). On an extra NIC in the firewall, I have set up an internal block - this is being NAT-ed when traffic from this private block is destined for external IPs.
All works fine - the private block can see the local public block and it can also NAT out fine. The local public block can get out via the bridge but traffic to the private block heads out to the router.
How can I get the firewall to redirect public->private traffic out through the extra non-bridge NIC?
# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
if [ $? -eq 0 ]
then
echo " Proxy server rule loading complete"
fi
else
echo "You need to enter two names,your internal connection name eg(etho) first, then your external connection eg(eth1), example ./scrptname eth0$
fi
Sorry - that doesn't help. I can already get NAT working fine if the private block routes out to an external IP. What I need is if traffic passes through the bridge from an INTERNAL PUBLIC ip destined for an INTERNAL PRIVATE ip, I need iptables to route the traffic out of the NIC that the private subnet is connected to.
If I understand, you have two (or more) networks on one interface.
1st network is internet (for example)
2nd network is ethernet (for example)
you want to do followin:
a) NAT traffic from ethernet to ethernet
b) forward traffic from ethernet to ethernet
c) deny new connections from internet to ethernet
Right, I'll try to explain this better. See the attachment for a diagram.
There's a gateway. It's on (for example) 100.1.1.1/24. The gateway is connected to eth0 on a linux firewall. eth0 is in a bridge 'bridge0' with eth1. eth1 is then connected to a switch for all the other network PCs.
So far, so dull. All the networked PCs access the internet via 100.1.1.1.
Now, I want to add another NIC to the linux firewall. Let's say this NIC will be 192.168.1.1. I've configured iptables so that if any packet originates from 192.168.1.* and is not destined for 100.1.1.*, it will be NAT-ed.
This all works fine.
Now comes the problem. If a PC on the 100.1.1.* LAN wants to reach an IP on the 192.168.1.* subnet, I want it to be able to get there without being NAT-ed. The 100.1.1.* PC will try to route the connection via the default gateway (100.1.1.1) and this will travel through the bridge. At this point, I want iptables to send the packet out via eth2.
I strongly recommed remove the bridge. I recommend you routing instead of bridging your network. It that case it is very easy. I try to explain using the picture you've sent. (I suppose your prefixes are /24, even I don't know if you want to 100.1.1.1 network to be a public network or not - it means you use public IPs, in that case it will have to change a bit.)
1. remove the bridge0
2. change the the internet gateway address to 10.1.1.1/24
3. set 10.1.1.2/24 on your eth0
4. set 100.1.1.1/24 on your eht1
5. set 192.168.1.1/24 on your eth2
6. set default route on eth0, default gateway IP is 10.1.1.1
7. set IP tables SNAT or masquarade (both is possible, use google to find an example)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
On PCs in your LANs set the IPs, just do not remeber change default gateway
in 100.1.1.0/24 network, the default gateway for the PCs is the 100.1.1.1
in 192.168.1.0/24 network, the default gateway for the PCs is the 192.168.1.1
DNS are the same as you have, because all IPs are reachable now.
Last edited by MartinStrec; 01-14-2012 at 04:21 AM.
Reason: incomplete - missing one half of the text
Bridging the network is not a good idea. Sometimes you can find a benefit of bridging, however routing is better in many cases. When you bridge networks, both networks slow down because too many packets are sent to the whole networks (to the all bridged networks). When you route networks, just packet with specified IP addresses (network prefixes) are sent to the required networks. Special when you has 3 NICs in your server (router) so you can much better manage your network and split networks by routing.
In your case the routes are created itself so you needn't be afraid about functionality. Just you has to define default route for unknown IPs (default route to the internet).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.