LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-18-2010, 05:16 AM   #1
rookiepaul
Member
 
Registered: Jul 2005
Posts: 73

Rep: Reputation: 15
NAT'ing a subnet for Internet access with IP tables


Hi all,

I have a debian box running as a gateway between my office network, the Internet and a remote subnet via a VPN. I have the office network and the remote subnet talking fine. The remote network is an Amazon Virtual Private Cloud (VPC) which means that for any machines in it to access the Internet, they have to pull the Internet from my office connection through my debian gateway and across the VPN. Internet requests from the VPC hit the debian box but seem to get lost. I think it's a fairly simple solution but my knowledge of IP tables is limited (trying to learn). Network details are as follows:

Office Subnet: 10.121.10.0/24

Debian Office Gateway:
eth0 - 10.121.10.2
eth1 - 213.121.XXX.XXX (Internet Connection)
eth1 alias 1: 169.254.254.2
eth1 alias 2: 169.254.254.6
(eth1 aliases are for the dual VPN tunnels)

VPC Subnet: 10.121.12.0/24

VPC Gatewate (I have no control over this)
inside: 10.121.12.1
outside 1: 169.254.254.1
outside 2: 169.254.254.5
(outside interfaces for VPN tunnels)


As I said earlier, the debian gateway is receiving the Internet requests from the VPC subnet but is dropping them. The VPC and Office are communicating fine. The gateway in the VPC is already configured as it should be to pass Internet traffic to the VPC subnet.

My current iptables config script (bit messy, been trying stuff out):

Code:

Code:
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
#iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and not those coming from the outside
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
#iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
#iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
#iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
#echo 1 > /proc/sys/net/ipv4/ip_forward



#---------------#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -s 10.121.12.0/24 -j ACCEPT
iptables -A INPUT -s 169.254.254.2/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.1/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.6/30 -j ACCEPT
iptables -A INPUT -s 169.254.254.5/30 -j ACCEPT
iptables -A INPUT -s 10.121.10.0/24 -j ACCEPT

iptables -A INPUT -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.121.12.0/24 -j ACCEPT
iptables -A FORWARD -s 169.254.254.2/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.1/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.6/30 -j ACCEPT
iptables -A FORWARD -s 169.254.254.5/30 -j ACCEPT
iptables -A FORWARD -s 10.121.10.0/24 -j ACCEPT

iptables -A FORWARD -d 169.254.254.0/29 -j ACCEPT
#iptables -A FORWARD -d 10.121.12.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

This has been bugging me for about a week now. It was hard enough setting up this VPN to the VPC and I'm so close to having everything working. Any help would be much appreciated.

Regards

Paul.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT'ing a subnet for Internet access with IP tables rookiepaul Linux - Security 18 09-06-2010 05:47 PM
access in different subnet packets Linux - Networking 3 11-16-2009 06:15 AM
sendmail access file ip subnet slackamp Linux - Server 0 06-14-2007 10:09 AM
Cannot access internet from one subnet sleroux Linux - Networking 7 03-09-2005 12:33 AM
Can't access ssh or httpd from outside subnet vortech Linux - Networking 1 10-03-2002 04:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration