using NAT on multiple subnets.
I have been looking for a solution for this problem:
http://www.linuxquestions.org/questi...debian-805534/ I eventually came up with the following solution: I installed firestarter and started to NAT trough the installation wizard that comes with firestarter. Strangely enough I had to point out a network interface for the internal network and the external network interface instead of IP range. For this server I used 3 virtual networks, on eth0 I used 192.168.0.1 in subnet 192.168.0.0/24 on eth0:0 I used 192.168.1.1 in subnet 192.168.1.0/24 and so on... what I want now is to use nat to provide every node with nat but only the eth0 network had a connection. does anyone know how to enable routing (nat) on all subnets or how to use the nat on subnet 192.168.0.0/24 for everyone? because of security reasons I chose for multiple subnets, I preferably want to keep this function. |
Yes, please post the output of:
Code:
iptables-save Code:
iptables -A POSTROUTING -i eth0 -s 192.168.0.0/24 -o eth1 -j MASQUERADE Code:
iptables -A POSTROUTING ! -i eth1 -o eth1 -j MASQUERADE |
Keep in mind that unless your multiple subnets are on separate VLAN's or physical switches, any client who wants to communicate with the other subnet can just add another IP address to it's interface.
|
Install the package ipmasq in Debian, and read thru all documentation which is installed, run the installation script and ipmasq produces a nice package to start with.
Debian style is to use a script to configure iptables, so everytime you change this script, run it again and you have a whole freshly configured iptables. That is much better than using the built-in save and restore op iptables. Open the script produced with the installer with you favorite editor, then define some different networks, like: Code:
net_mared_internal=192.168.5.0/24 Code:
$IPTABLES -t nat -A POSTROUTING -o $nic_ext -s $net_mared_internal -j MASQUERADE jlinkels |
Quote:
this does prevent most viruses from spreading to the important machines. I will post the outputs as soon as I get home. I also already encountered the problem of not being able to adapt the firewall rules remotely (I do this trough the firestarter gui now) |
ok here it goes: iptables-save:
Code:
# Generated by iptables-save v1.4.2 on Mon May 10 21:56:28 2010 Code:
eth0 Link encap:Ethernet HWaddr 40:61:86:87:ae:6f Code:
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1 (enable routing for eth0:0 and eth0:1) |
Your iptables rules are masquerading all traffic going out eth1 which is good, however your forward chain is blocking all traffic not specifically allowed through.
This should fix that: Code:
iptables -I FORWARD -d 192.168.2.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT You also have three default gateways setup, you should only have one. Assuming that the internet currently works from your main server, don't change that yet -- wait until everything else is fixed. |
how do I change it? is the iptables-save script a text file somewhere?
EDIT: those were commands... but do they survive a reboot? |
No they do not, you will need to add them to a script which executes on boot after firestarter does it's thing.
Did the above commands fix your issues? |
I ran the commands but still no go. I did discover something else...
I have been experimenting with one of the machines by putting it in different subnets (192.168.0.2 and 192.168.1.2) and if I put the machine on 192.168.0.2 I can connect to it using ssh and I can ping it (I also have an internet connection on the machine this way) but if I put the machine in the 192.168.1.2 network I can ping by ipaddress to 4.2.2.1(opendns or something like that) and to google, but I can't connect to it trough http. so from the server to the client isn't possible, from the client to the server isn't possible (but ping works like a charm both ways!) Couldn't this be a firewall related problem? |
OK well I've found the problem!
Because I could ping everywhere I thought it was a firewall problem so I started to read documentation on iptables and I saw the following lines in the config: Quote:
Quote:
It's quite similar to what SuperJediWombat! said but this actually worked. only thing left to do is to make them persistent. |
making it persistent:
I made 2 scripts, /etc/network/if-up.d/my-script Quote:
Quote:
thanks to: http://kevin.vanzonneveld.net/techbl...with_iptables/ |
ok it didn't work exactly as I planned but it eventually worked after putting the script in /etc/firestarter/config/user-post
|
If those commands worked, mine should have. The only difference is that I allowed through all protocols, rather than just tcp and udp.
You should also need the rule accepting all forward traffic out of eth1. because when you initially ran iptables-save the only close rule was accepting all traffic in through eth0. Can you post the output of these again, while it is working? Code:
iptables-save |
ok here you go:
I'm quite the newbie and I don't get what you mean with the last comment on allowing trafic out eth1 iptables-save Code:
# Generated by iptables-save v1.4.2 on Wed May 12 02:11:48 2010 Code:
eth0 Link encap:Ethernet HWaddr 40:61:86:87:ae:6f Code:
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1 |
All times are GMT -5. The time now is 04:32 PM. |