Double IP forwarding not working

Question

I have the following 2 debian servers in my scenario: The first one is my main openvpn server, it has 2 NICS active eth0 (172.25.156.146) and eth3 (172.26.16.1) - The second server has also 2 NICS active eth0 172.26.16.16, and eth1 10.77.144.75. Both servers are directly connected on 172.26.16.0/24.

Some services/servers in my LAN are only accessible from the 2nd server(hence the direct connection), and in order to make these internal servers/services accessible from the main server(172.25.156.146), the following rules have been enabled:

on the main server:

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.25.156.145  0.0.0.0         UG        0 0          0 eth0
10.77.144.0     172.26.16.16    255.255.255.0   UG        0 0          0 eth3 # internal servers range
10.250.250.0    0.0.0.0         255.255.255.0   U         0 0          0 tap3
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.16.0     0.0.0.0         255.255.255.0   U         0 0          0 tap1
172.17.17.0     0.0.0.0         255.255.255.0   U         0 0          0 tap5
172.25.132.0    172.25.156.145  255.255.255.128 UG        0 0          0 eth0
172.25.156.144  0.0.0.0         255.255.255.248 U         0 0          0 eth0
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth3 #route back

to the second server

172.31.249.0    0.0.0.0         255.255.255.0   U         0 0          0 tap4
192.168.0.0     192.168.0.1     255.255.255.0   UG        0 0          0 tap6
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 tap6
192.168.88.0    192.168.88.2    255.255.255.0   UG        0 0          0 tun0
192.168.88.2    0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.200.0   192.168.200.1   255.255.255.0   UG        0 0          0 tap2
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 tap2
192.168.200.100 192.168.200.1   255.255.255.255 UGH       0 0          0 tap2


/proc/sys/net/ipv4/ip_forward = 1

iptables rules (even though it is not relevant)
Chain INPUT (policy ACCEPT 24M packets, 15G bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 16463 packets, 985K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  252 15593 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.128.0/24       ctstate NEW
1671K  742M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tun0   eth0    192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT 16M packets, 18G bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.88.0/24      10.77.128.0/24       ctstate NEW
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.88.0/24      10.77.120.0/24       ctstate NEW

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

on the second server

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.0.0.0        10.77.144.1     255.0.0.0       UG        0 0          0 eth1
10.77.144.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1 # towards the internal servers
172.25.132.0    10.77.144.1     255.255.255.128 UG        0 0          0 eth1
172.26.16.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0 # route back to the main server
192.168.88.0    172.26.16.1     255.255.255.0   UG        0 0          0 eth0

iptables rules:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state NEW

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:telnet state NEW
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2330  127K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
41784 2293K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
   14   840 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  947  149K DROP       all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 4346  833K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    9   512 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:23 state NEW
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
10620  879K ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 47570 packets, 19M bytes)
 pkts bytes target     prot opt in     out     source               destination

and the ip forwarding is enabled.

The issue: from the main server I am not able to ping on of the internal server, but I can from the second server. Any help will be highly appreciated.

One gets more detailed information about exactly what iptables rules are in place by using the `iptables-save` command. Before trying to use iptables between internal subnets I recommend getting routing between the subnets working without any iptables rules. It is harder to debug, if you don't know whether the problems are caused by misconfigured routing or misconfigured iptables rules. — kasperd, Nov 24 '14 at 13:33
Dear all, please ignore my above problem, found the solution: I missed the following rule on the second server root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE — Ants0, Nov 24 '14 at 19:52
@Ants0 please post this as an answer to your question and mark it as such as soon as you are able to. — the-wabbit, Nov 24 '14 at 22:20

score 0 · Answer 1 · edited Mar 16 '16 at 02:40

0

The following solved the above issue (if it is executed on the second server):

root@armittage:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@armittage:~# iptables -A FORWARD -i eth1 -j ACCEPT
root@armittage:~# iptables -A FORWARD -i eth0 -j ACCEPT
root@armittage:~# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE –

edited Mar 16 '16 at 02:40

Pierre.Vriens

1,159
34
15
19

answered Mar 15 '16 at 21:24

Ants0

41
5

Double IP forwarding not working

on the main server:

to the second server

on the second server

iptables rules:

1 Answers1