0

I have problem with routing on linux.

My ISP give me 2 ranges of public addresses, lets say:
192.168.11.0/30 (4 addresses) - router
192.168.33.0/29 (8 addresses) - servers

additionally I have on router (192.168.11.2) second interface eth1, behind NAT - LAN 10.0.0.0/8

Network 192.168.11.0/30 have addresses of network (192.168.11.0), getaway (192.168.11.1), host (192.168.11.2) and broadcast (192.168.11.3). Network 192.168.33.0/29 have address of network (192.168.33.0), 6 host addresses (192.168.33.1-6) and broadcast (192.168.33.7) – no getaway.

Host from network 192.168.11.0/30 - 192.168.11.2 is some kind of my router for local network 10.0.0.0/8 and route traffic for 192.168.33.0/29.

Traceroute from someware in internet to any address from network 192.168.33.0/29 lead to host 192.168.11.2 (not getaway 192.168.11.1).

My configuriation:
On 192.168.11.2

$ route -n

Destination     Gateway         Genmask          Flags Metric Ref    Use Iface
0.0.0.0         192.168.11.1    0.0.0.0          UG    0      0        0 eth0
192.168.11.0    0.0.0.0         255.255.255.252  U     0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0        U     0      0        0 eth1
192.168.33.0    0.0.0.0         255.255.255.248  U     0      0        0 eth0

On for example 192.168.33.6

$ route -n

Destination     Gateway         Genmask          Flags Metric Ref    Use Iface
0.0.0.0         192.168.11.2    0.0.0.0          UG    0      0        0 eth0
192.168.11.0    0.0.0.0         255.255.255.252  U     0      0        0 eth0
192.168.33.0    0.0.0.0         255.255.255.248  U     0      0        0 eth0

On 192.168.11.2 there is no entry regarding this traffic in iptables, just something like this:

iptables -A FORWARD -i eth0 -o eth0 -s 192.168.33.0/29 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth0 -d 192.168.33.0/29 -j ACCEPT

ISP say that I should route 192.168.33.0/29 traffic though 192.168.11.2 (host) and this is working, but my problem is that all traffic that come to for example 192.168.33.6, in iptables on 192.168.33.6 have always source of host from first network – 192.168.11.2 (host that is gw for network 192.168.33.0/29), not original source IP of traffic.

That make problem, because I want on host for example 192.168.33.6 in firewall allow only ssh from router LAN (10.0.0.1, where gw is 192.168.33.2) and My home (lets say 192.168.231.15). Finally all traffic is allowed because source address that iptables display is 192.168.33.2...

I understand that I can leave firewall on 192.168.33.6 empty and filter traffic on router 192.168.11.2, but because few reasons I cannot do it in this way.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
tomiozo
  • 1
  • 1
  • You should be doing routing (IP forwarding) on 192.168.11.2 and then the traffic will come from the real addresses, but it sounds like you're actually doing Network Address Translation (NAT/masquerading) and resending everything from 192.168.11.2 source. What Linux distribution / version is that server running, and how did you configure it? – TessellatingHeckler May 28 '15 at 22:19
  • I used 192.168.x.x, just as example, both ranges are public, so I don't think i should hide public address begind NAT. 10.0.0.0 network in example is private network and it use NAT. – tomiozo May 28 '15 at 22:30
  • I don't mean the internal network. When you wrote: `my problem is that all traffic that come to for example 192.168.33.6, in iptables on 192.168.33.6 have always source of host from first network – 192.168.11.2` - that sounds like you are NAT'ing the entire internet, rewriting all incoming traffic to have the public address of the 192.168.11.2 server. So I ask what network interfaces there are, how things are plugged in, what IP addresses there are, what sysctl / network settings you configured, what IPtables rules you added or the full list of them... that kind of thing. – TessellatingHeckler May 28 '15 at 22:33
  • Let's start from the beginning...What says `iptables -L -n -v` ? – krisFR May 28 '15 at 23:36
  • @TessellatingHeckler had right. I had iptables entry on router `-A POSTROUTING -o eth0 -j MASQUERADE` update to `-A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE` solved problem. – tomiozo May 29 '15 at 13:08

0 Answers0