using NAT on multiple subnets.
 

I have been looking for a solution for this problem:
http://www.linuxquestions.org/questi...debian-805534/

I eventually came up with the following solution:
I installed firestarter and started to NAT trough the installation wizard that comes with firestarter. Strangely enough I had to point out a network interface for the internal network and the external network interface instead of IP range.
For this server I used 3 virtual networks,
on eth0 I used 192.168.0.1 in subnet 192.168.0.0/24
on eth0:0 I used 192.168.1.1 in subnet 192.168.1.0/24 and so on...
what I want now is to use nat to provide every node with nat but only the eth0 network had a connection.

does anyone know how to enable routing (nat) on all subnets or how to use the nat on subnet 192.168.0.0/24 for everyone?

because of security reasons I chose for multiple subnets, I preferably want to keep this function.

Yes, please post the output of:Right now you probably have a rule which looks like this in your nat table:What you want is something like this:

Keep in mind that unless your multiple subnets are on separate VLAN's or physical switches, any client who wants to communicate with the other subnet can just add another IP address to it's interface.

Install the package ipmasq in Debian, and read thru all documentation which is installed, run the installation script and ipmasq produces a nice package to start with.

Debian style is to use a script to configure iptables, so everytime you change this script, run it again and you have a whole freshly configured iptables. That is much better than using the built-in save and restore op iptables.

Open the script produced with the installer with you favorite editor, then define some different networks, like:
and then for each network, add a MASQUERADE rule and a FORWARD rule:
It shall be clear that net_mared is one of the subnets, nic_ext is the interface looking at internet, and nic_rnb is the internal network card. $IPTABLES is a variable holding the complete path to iptables, /sbin/iptables.

jlinkels

it doesn't have to be completely secure, I do not have switches that support vlans and it's mainly about preventing some less secured computers from doing damage to the important ones. it's probably way too advanced for the purpose but I just want to do it this way to learn something.

this does prevent most viruses from spreading to the important machines. I will post the outputs as soon as I get home.

I also already encountered the problem of not being able to adapt the firewall rules remotely (I do this trough the firestarter gui now)

ok here it goes: iptables-save:

ifconfig:
ip route:

anyone has an idea what to do?
(enable routing for eth0:0 and eth0:1)

Your iptables rules are masquerading all traffic going out eth1 which is good, however your forward chain is blocking all traffic not specifically allowed through.

This should fix that:
Try that, if it does not work please repost the output of iptables-save after running the commands above.

You also have three default gateways setup, you should only have one. Assuming that the internet currently works from your main server, don't change that yet -- wait until everything else is fixed.

how do I change it? is the iptables-save script a text file somewhere?

EDIT: those were commands... but do they survive a reboot?

No they do not, you will need to add them to a script which executes on boot after firestarter does it's thing.

Did the above commands fix your issues?

I ran the commands but still no go. I did discover something else...
I have been experimenting with one of the machines by putting it in different subnets (192.168.0.2 and 192.168.1.2) and if I put the machine on 192.168.0.2 I can connect to it using ssh and I can ping it (I also have an internet connection on the machine this way) but if I put the machine in the 192.168.1.2 network I can ping by ipaddress to 4.2.2.1(opendns or something like that) and to google, but I can't connect to it trough http.

so from the server to the client isn't possible, from the client to the server isn't possible (but ping works like a charm both ways!)

Couldn't this be a firewall related problem?

OK well I've found the problem!
Because I could ping everywhere I thought it was a firewall problem so I started to read documentation on iptables and I saw the following lines in the config:
Because of this I executed the following commands:
and now it works!

It's quite similar to what SuperJediWombat! said but this actually worked.

only thing left to do is to make them persistent.

making it persistent:
I made 2 scripts,

/etc/network/if-up.d/my-script
/etc/network/if-up.d/my-script
I did a chmod u+x on both of the files to make them executable.

thanks to: http://kevin.vanzonneveld.net/techbl...with_iptables/

ok it didn't work exactly as I planned but it eventually worked after putting the script in /etc/firestarter/config/user-post

If those commands worked, mine should have. The only difference is that I allowed through all protocols, rather than just tcp and udp.

You should also need the rule accepting all forward traffic out of eth1. because when you initially ran iptables-save the only close rule was accepting all traffic in through eth0.

Can you post the output of these again, while it is working?

ok here you go:

I'm quite the newbie and I don't get what you mean with the last comment on allowing trafic out eth1

iptables-save
ifconfig
ip route