0

I have an industrial PC with 3 Ethernet ports (RJ45, 100 MB/s). I would like to designate one as an incoming internet connection (from the company), and the other two on a private network. The private network is comprised of a PLC and a VPN connection. The VPN connection should not be able to access the company's network for security reasons. My operating system is Debian 7.7. I have followed this guide so far. My current network will assign the PC an IP address automatically with DNS, so that is good so far. But now I need direction in how to obtain my goals. I could ping the PLC before, but RSLinx would not connect to it.. Network Map 

name        address        netmask      network      broadcast
eth1    10.1.1.69    255.255.255.0  10.1.1.1    
eth2    192.168.0.1  255.255.255.0  192.168.0.0  192.168.0.255
eth3    192.168.0.2  255.255.255.0  192.168.0.1  192.168.0.256

root@pc223:/home/adam# ifconfig
eth1      Link encap:Ethernet  HWaddr 00:1b:eb:45:0d:74  
          inet addr:10.1.1.69  Bcast:10.1.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:ebff:fe45:d74/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4643 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2287 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1806325 (1.7 MiB)  TX bytes:222806 (217.5 KiB)
          Interrupt:6 

eth2      Link encap:Ethernet  HWaddr 00:1b:eb:46:9f:26  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::21b:ebff:fe46:9f26/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:10 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:640 (640.0 B)  TX bytes:14136 (13.8 KiB)
          Interrupt:11 Base address:0xdd00 

eth3      Link encap:Ethernet  HWaddr 00:1b:eb:46:9f:25  
          inet addr:192.168.1.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:11 Base address:0xdc00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:622 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:108090 (105.5 KiB)  TX bytes:108090 (105.5 KiB)

root@pc223:/home/adam# ip ro show
default via 10.1.1.1 dev eth1 
10.1.1.0/24 dev eth1  proto kernel  scope link  src 10.1.1.69 
192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1 
192.168.1.0/24 dev eth3  proto kernel  scope link  src 192.168.1.1 

root@pc223:/home/adam# iptables-save
# Generated by iptables-save v1.4.14 on Fri Aug  8 04:03:12 2008
*filter
:INPUT ACCEPT [4384:1816840]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2926:303271]
:fail2ban-ssh - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A fail2ban-ssh -j RETURN
COMMIT
# Completed on Fri Aug  8 04:03:12 2008

#iptables.rules
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 50000 -j DNAT --to-destination 192.168.0.3:50000
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT

# Always accept loopback traffic
-A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -i ! eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
-A FORWARD -i eth1 -o eth2 -j ACCEPT

# Masquerade.
-t nat -A POSTROUTING -o eth2 -j MASQUERADE

# Don't forward from the outside to the inside.
-A FORWARD -i eth2 -o eth2 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward



# debian router/gateway in 15 minutes (online guide)
#*filter
#-A INPUT -i lo -j ACCEPT
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -i eth1 -p tcp -m tcp --dport 222 -j ACCEPT
#-A INPUT -i eth1 -j DROP

#update rules
# iptables-restore </etc/iptables.rules

Any help is appreciated, thank you.

xinthose
  • 144
  • 1
  • 13
  • You really need to spend some time describing the what you want, and the problems you are facing in more detail. We need a network diagram here or something describing what you are trying to do. We need network addressing, and routing tables. – Zoredache Nov 26 '14 at 00:57
  • it sounds like you're trying to allow only related and established traffic over the vpn link, but its just too vague to know for sure if that's what you're trying to do; let alone what your current setup is. – Sirex Nov 26 '14 at 01:01
  • I added a network map, but I do not know how to create a routing table – xinthose Nov 26 '14 at 02:03
  • what is my question lacking? I seek for my network map to be true – xinthose Nov 26 '14 at 18:57

1 Answers1

0
  1. IP subnet ranges need to be unique per interface. eth2 & eth3 should be on different subnets, for example 192.168.0.1/24 as the address on eth2, and 192.168.1.1/24 as the address on eth3.
  2. Broadcast address on eth3 should end in 255 for a /24 subnet.
  3. Verify ip_forward sysctl is enabled. this might help
  4. Verify appropriate iptables -L FORWARD rules are in place to allow interconnection between the interfaces.
  5. Verify PLCs on eth3 network are using the eth3 address as a default route.
Community
  • 1
Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27