Networking :: Using Iptables To Route/forward To Identical LANs?
Jul 18, 2011
The goal is to make connection calls (ssh, ping, ...) possible from one LAN (LAN-1) to a number of (at the moment two) separate smaller LANs.These smaller LANs (LAN-2a, LAN-2b, ...) have exact same specifications (same IP range, same number of nodes, ...)!The idea is to use a Fedora box (release 14 with 2.6.35.6-45.fc14.i686) and implement an appropriate iptables routing/forwarding.The Fedora box has three network interfaces:
- eth0 (aaa.bbb.ccc.m) on LAN-1 (aaa.bbb.ccc.0/24)
- eth1 (ddd.eee.fff.n) on LAN-2a (ddd.eee.fff.0/27)
- eth2 (ddd.eee.fff.p) on LAN-2b (ddd.eee.fff.0/27)
[code]....
View 10 Replies
ADVERTISEMENT
May 8, 2011
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
View 4 Replies
View Related
Sep 16, 2010
I need to route packets coming from a standalone switch port which is a mirror ("tap") of another port ("source"). I can't seem to forward packets whose MAC address is for a different device (the actual "target" of "source"). My device is in promisc mode,I can see the incoming packets in tcpdump and Wireshark. The only packets which get forwarded are those which have my MAC destination address (I changed the wiring to come straight from source and not the mirror port, to get "my" MAC address in the packet). My routing table is configured to forward and I have ip_forwarding enabled, obviously (otherwise packets sent to my MAC wouldn't route). By the way, the incoming packets are all VLAN tagged and I have matching subinterfaces.
Q1 - is this inherent, that packets won't get "passed up" to the IP layer unless the MAC addresses match?
Q2 - Would ebtables be a good solution, i.e. rewrite the dest MAC address to my own MAC addr and send to the INPUT target?
View 5 Replies
View Related
May 10, 2011
I am trying to set up a Linux box that can act as a router (and firewall later). I have a Debian 5 installation and it has two nics in it. I am trying to use the linux route command to set up a route between the two interfaces. I am finding it difficult to do. Let me explain how I am trying to set up my network: I have the ethernet cable from my modem connecting to eth0 of my Debian box, then I have eth1 connecting to a switch, which I connect all my computers and other devices to. I want to have two different ip address schemes for the devices. So here is my interfaces file:
Code:
#eth0 connects to modem
allow-hotplug eth0
iface eth0 inet static
[code]....
So I am wondering, to get my ethernet traffic from eth0 to eth1 and vice versa, do I need to make it so the Gateway for Destination 192.168.1.0 is 10.1.1.1, and for Destination 10.0.0.0, Gateway 192.168.1.0? I have looked at the linux manpage for route and I am still confused. I have also looked at the Debian networking page, but it is still unclear to me how to do this. how I am to use the route command to get this working? Or am I not even supposed to use the route command?
View 4 Replies
View Related
Dec 24, 2008
So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPTiptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPTI've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B.
View 1 Replies
View Related
May 7, 2009
I need to forward a port to use dtella. I'm using Fedora 10, using iptables for my firewall.
I'm currently trying to forward it from terminal with this command:
Code:
sudo iptables -t nat -A PREROUTING -p udp -i eth0 -d [ip address] --dport 11823 -j DNAT --to 192.168.0.2:80
this is what I get from iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
[Code].....
View 9 Replies
View Related
Apr 15, 2009
I have three machines on three networks192.x.x.x10.x.x.x172.x.x.xThe routers are set to forward communication between 192. network and 10. network, and between the 10. network and the 172. network.However, there's not routing between 192. and 172.I want to fix that by using a machine on the 10. network to forward communication between the other two networks.The machine has one etherent connection eth0 whose address is 10.1.1.11I set up an aliased ip address eth0:0 to be 10.1.1.12 using Quote:ifconfig eth0:0 10.1.1.12Then I tried to set forwarding rules the 10. machine such that 10.1.1.12 address will provide access to the machine 172.1.1.55 as followsQuote:# iptables -t nat -A PREROUTING -d 10.1.1.12 -j DNAT --to-destination 172.1.1.55The default policies for all chains is ACCEPT.I then try to access 10.1.1.12 from 192.1.1.20 expecting it to actually access 172.1.1.55 ; it does not work
View 3 Replies
View Related
Nov 15, 2010
Lets say i have two machines on public ips. If i get incoming traffic on machine #1 on port 55242 i would just like to forward it to machine #2 on port 35000.I would just like to use machine #1 same way as a dns server works. It just redirects the traffic and tells the client where to go.
View 6 Replies
View Related
Jun 14, 2010
Here's my scenario:
I want it so any inbound traffic from dsl goes back out the dsl and same for rogers. I've been searching and playing with many docs with no luck.
Anyone know how I do this? The multiple routes are on the same device br0. (which I think is causing all my havoc)
View 1 Replies
View Related
Jun 3, 2011
iptables and multiple public-facing IP addresses. With the current setup I have a public-facing firewall with iptables which will then forward traffic to a LAN IP. I will hopefully be allotted 1 private IP per public IP, which I hope will make this much more simple. For example, I have server A with the LAN IP of 10.0.0.1 which I would like to have traffic forwarded from 5.0.0.1, the public IP. I also have server B with LAN IP of 10.0.0.2 which I would like to have forwarded from 5.0.0.2, the second public IP. From what I have read and understood, this should be a simple task, however I would just like to double check to make sure that it is in fact possible, and if so, how would it be recommended that I go about doing so. Essentially, I need to forward each public IP to a corresponding LAN IP with all ports.
View 3 Replies
View Related
May 20, 2009
I'm using Fedora Core5.0 I have using Iptables for forward port 80 to port 3128(Squid) in the same of server.I need to forward using Iptables to use the other proxy server because this server i am use for vpn and mail tranfer.What a Commnand for i use?ase 1. Server 1 >Ip 192.168.0.4 SQUID WITH PORT(3128)2. Server 2 IP 192.168.0.254 PF SENSE (3128) I will use server 2 for using internet connect only.
View 1 Replies
View Related
Nov 21, 2010
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
View 4 Replies
View Related
Apr 4, 2011
I'm trying to use iptables in order to forward all the incoming packets for port 5555 to port 5556 on the same server (192.168.2.101).
I wrote the following commands:
iptables -A PREROUTING -t nat -i any -p tcp --dport 5555 -j DNAT --to 192.168.2.101:5556
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.2.101 --dport 5556 -j ACCEPT
View 3 Replies
View Related
Feb 20, 2010
I'm using a Debian servers, as router/firwall.. I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working... Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT). I have a FTP server running on a lan server, so i'm trying to portward port 21.
iptables -t nat -A PREROUTING -p tcp -i eth1 -d (WANIP) --dport 21 -j DNAT --to 192.168.1.2:21
When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.
The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..
Here i my iptables script:
#flush table
iptables -F
#input regler
[code]....
View 6 Replies
View Related
Jan 7, 2010
I am trying to do a NAT forward in iptables but get the following error:Quote:[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o eiptables v1.3.5: Can't use -i with POSTROUTINGAny ideas on what to do?I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
View 8 Replies
View Related
Jul 22, 2011
my company is a small company!and it only have one public ip,but my company have a lot of websites to access!now i use Reverse Proxy Server -- apahce to solve temporary!it is not convenience for me !So i think out whether iptables can not be used to forward according to the domain!!it is the test as follows:
public ip :10.0.0.1
privite ip1 :192.168.1.1
matching website domain:www1.test.com
privite ip2:192.168.1.2
matching website domain:www2.test.com
and if someone access [URL] the iptables will know they want to access 192.168.1.1 and it will forward to the server 192.168.1.1!!
View 1 Replies
View Related
May 4, 2010
I`m running a rather simple iptables script, but no matter what port i try to forward it wont open. Here are the basics:
Code:
ipt="/usr/sbin/iptables"
$ipt -F
[code]...
View 2 Replies
View Related
May 6, 2011
I just upgraded my fedora 13 to fedora 14. I changed the cpu and the motherboard so i had to install from scratch...but I saved my iptables.
The problem is that
I do all the suff
service iptables save
And apparently it works...
But everytime I reboot I have to re run the script to forward Internet...Everything else works just fine...I mean I can ssh, vnc, etc but wont forward intel :S dont know why?
View 2 Replies
View Related
May 3, 2010
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
View 4 Replies
View Related
Oct 25, 2009
What commands do you use to set the INPUT, OUTPUT, and FORWARD chains in iptables to ACCEPT?
View 5 Replies
View Related
Jan 11, 2010
Can we enable IP tables to forward multicast or broadcast messages?
View 1 Replies
View Related
May 3, 2010
How can I drop or forward a incoming connection from a part of a host like *.alicedsl.de
For example:
The user is connection from *.alicedsl.de on port 12345
So how can I drop this connection or forward to google.com on port 80
View 5 Replies
View Related
Feb 18, 2010
Have you ever created a VPN connection between two LANs which are geographically far away? For example LAN1 is 192.168.1.0 and LAN2 is 10.0.0.0. If I am in LAN1 I would like to be able to ping 10.0.0.1 and get packets back.
I am trying to do it with OpenVPN. I can connect two computers from both LANs using their virtual IP but I can't do that with their private IP. I think the solution must be in creating a bridge or using the "push" command of OpenVPN, unfortunately I haven't found clear information within the internet.
View 2 Replies
View Related
Jun 14, 2010
So I have 3 home routers, 1 belkin and 2 netgear. I have my ISP internet connection coming into my belkin, which I then have the 2 netgear routers (from their WAN) plugged into Belkins LAN ports. Now the Ubuntu computers I have on Netgear LAN 1 and Netgear LAN2 can get to Belkin just fine (at 192.168.1.1), but I am unable to access a computer on LAN1 from a computer on LAN2 and vice-versa. My Belkin is 192.168.1.1, my Netgear1 WAN is 192.168.1.100 and Netgear2 WAN is 192.168.1.200. I have the netgears both assigning DHCP IP's from range of 192.168.0.100 to 192.168.0.150 on their LAN ports.
Now, I have set Netgear LAN1 port 80 NAT'd to go to one of my computers on it. I try to access 192.168.1.100:80 from a computer on Netgear LAN2 network and it say host unreachable.What am I doing wrong?
View 1 Replies
View Related
Apr 29, 2009
I would like to add a static route, however I do not understand what is meant by the Address setting below
GATEWAY2=10.241.58.62
NETMASK2=255.255.255.224
ADDRESS2=10.241.57.32
Does this mean any addresses beginning with 10.241.57.32 are routed over the gateway 10.241.58.62 an address range
View 3 Replies
View Related
Jan 27, 2010
I have set up OpenVPN server using a bridged configuration. My networking "powers" aren't that advanced, so I did this by following the openvpn tutorial for bridged servers. I have tested this with several clients connecting to my server from different locations and it works very nicely (including broadcasts).
My server's LAN IP address is 192.168.2.4, and my LAN's mask is 24. Clients connecting to my server get assigned IP address that also fall within that subnet (i.e., the 192.168.2.x pool contains both physical machines in my home and "virtual" hosts). This is what the OpenVPN walkthrough specifies:
[Code]...
I was wondering if it would be possible for the VPN to fall within a different subnet (such as 10.0.1.x). I would also like to do that without adding another physical NIC to my server, or changing my physical IP address. I would imagine this is possible, since that's how hamachi does it.
View 1 Replies
View Related
Sep 4, 2010
GNU/Linux gods, guides and superbrains.Don't be moddest. I'ts YOU i'm taking about!I'll be your humble problem-describer-pixie / solution-testing-smerf :
Andreas Vinther, 1977, from Denmark
I'm trying to establish a connection between two seperate ADSL LANs (coming into the house, but from separate ISPs) to a situation where all hosts on either LAN will be able to reach any host on eiher LAN WITHOUT having to use an excess of plastic routers around the house, and please no Wireless bridges. WiFi will only be available as Access Points.
I've heard that Debian does this kind of static routintg / RIP stuff quite well. And I just happen to have one lined up in the right place, that haven't got at snowballs chance in hell of running WINXP or above. But it kills at textbased datamanipulation/forwarding/rerouting/dropping/scanning ... so I'vew made up my mind. That is what I want to do... Now how do io get around doing stuff like that.
The Debian box is connected to both networks: Hostname: AsusAnd
(192.168.1.0/24 - TDC network)
and to
(192.168.15.0/24 - Profiber network)
Needless to say, but both netmasks are 255.25.255.0 hence the /24 The respective router's LAN addresses are 192.168.1.1 and 192.168.15.1 My Debian are locked to the following IP's (reserved DHCP):
eth0:192.158.1.56 via DHCP from 192.168.1.1
eth1:192.168.15.177 via DHCP from 192.168.15.1
So far so good - Now here we go ! This is not a scenario where i'd like to always want all network-packages to travel the shortest path, nor NESSESARILY use the other ISPs gateway if the first is down or slow, although that'll be super nice.
I suspect that'll involve router-protocols like RIP. I'll be super pleased to get some guidelines there as well, as i suspect it'll be quite easy to implement once everything else is in place. Although RIP isn't our main goal, it probably comes as a close second. I think we all would like as stable and fast a connection as possible.
I was actually so naive that i thought if i added two static routes to the two routers x.x.1.1 and x.x.15.1, that my problems would automatically be solved by my Debian box, and that it would automatically act as a gateway when the routers send their packages for the other net. As long as i was connected to both LANs at the same time.
Note: I haven't changed or tweaked the Debian kernel to do routing. this is a simple stable install from the net-inst.iso of Debian 5. I'd like to keep it that way unless there's no way around it.
my routers have static routes to each other (WITH PROPER CABLING), configured as follows:
(On router with LAN 192.168.1.1)
[static route] to 192.168.15.0 with nmask 255.255.255.0 going throuhg gateway 192.158.1.56 ( Taken from above info ) - metric around 2
Similary on my other NIC directly cabled to another switch ---and-then-to-another---> Router
[code]....
View 1 Replies
View Related
Feb 23, 2010
I am using Endian firewall in order to connect two LANs but I am getting many problems and I don't know how to solve them since there is no much information about this software on the internet. Do yuo know good webpage about this powerful program?
View 5 Replies
View Related
Dec 22, 2010
I have 2 routers, each are assigning IP with DHCP on. One router is plugged into cable modem second router is downstairs plugged into first router. Wire runs in WAN of second router. Each router has its own IP subset. First router assigns IP's to 192.168.1.xxx second router IP's to 10.0.0.xxx
I know I can use the second router as an AP with DHCP OFF. BIG BUT though is my wifi verizon phone got no IP assigned when running like that and wirelessly connecting to the second router. Laptops were just fine. SO, I reconfigured second router with its own subset IP being handed out. Now verizon phone is perfect.
How can I share files between connected PC's using it this way?
View 9 Replies
View Related
Jun 27, 2010
For some simulation, I am trying to configure a setup of 3 ubuntu desktops (one of them with multiple network cards) to behave in the following way:
Each one of them should be a separate network not seeing the others (including multicast addresses) They need to have internet access through the machine with multiple network cards. So from the point of view of each machine they define a LAN in which it is the only device and have internet access through the gateway machine.
What do I need to do to configure these machines for the above setup?
View 6 Replies
View Related
