2

I have a ubuntu router machine with following network settings:

br0 192.168.1.15 netmask 255.255.255.0
br0:1 192.168.2.209 netmask 255.255.255.248

I have a pc attached to the br0:1 network with these settings:

ip 192.168.2.210 netmask 255.255.255.248 gateway 192.168.2.209

This pc should be able to access the host 192.168.1.1 which is on the br0 network of ubuntu router.

192.168.1.1 is the WAN gateway, so how can I make it a gateway for the hosts on 192.168.2.208/29 network.

I have enabled ip4 forwarding on the ubuntu router.

nixnotwin
  • 1,543
  • 5
  • 35
  • 55

1 Answers1

2

First make sure 192.168.2.209 is the default gateway for 192.168.2.210 and the Ubuntu router allows traffic from the host. On 192.168.2.210:

route add default gw 192.168.2.209

On the Ubuntu router:

iptables -I FORWARD -i br0:1 -s 192.168.2.210 -j ACCEPT

Then you have two options. You can either SNAT the forwarded traffic on the Ubuntu router, so that 192.168.1.1 sees it as belonging to the router and knows how to return it:

iptables -t nat -I POSTROUTING -s 192.168.2.210 -j SNAT --to 192.168.1.15

or you can add the following route on the 192.168.1.1 gateway, assuming it's also a Linux host:

route add -net 192.168.2.209/29 gw 192.168.1.15

Which tells it how to route the packets back to that network. Of course if the gateway is filtering you will have to add filter rules for the 192.168.2.209/29 network too:

iptables -I FORWARD -s 192.168.2.210 -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.2.210 -j MASQUERADE

Of course these last rules can be improved with more information.

Eduardo Ivanec
  • 14,881
  • 1
  • 37
  • 43
  • Worked amazingly well. I just used your first two iptables rules. – nixnotwin May 08 '11 at 17:08
  • Glad to hear that! – Eduardo Ivanec May 08 '11 at 17:10
  • with IPtables would you be able to specify the entire subnet rather than the specific host 192.168.2.210? I.E. iptables -I FORWARD -i br0:1 -s 192.168.2.208/29 -j ACCEPT ? – HostBits May 08 '11 at 18:19
  • Yes, you can use CIDR netmasks as well as non-CIDR ones - 192.168.2.208/29 or 192.168.2.208/255.255.255.248. – Eduardo Ivanec May 08 '11 at 19:21
  • I used the whole subnet 192.168.2.208/29 with the first two iptables rules in my second test. And it worked well too. When I comapred web-page loading speed with the hosts on 192.168.1.0/24, it was slightly slower on 192.168.2.208/29. I pinged 192.168.1.1 from 192.168.2.210, and some packets were getting lost.Is it because NATing is being done twice? – nixnotwin May 09 '11 at 01:39