3

I have an Ubuntu machine that is my firewall

The Machine has 2 NIC Cards. eth0 and eth1. eth1 is connected to a modem that gives it an IP of 10.10.1.X

eth1 is required to provide DHCP on 192.168.2.X and have another IP from a switch that is connected to a router that provides DHCP on 192.168.1.X

Currently this machine has the following IPs

eth0 - 10.10.0.4
eth1 - 192.168.2.1 (DHCP Server, Gateway)
eth1:0 - 102.168.1.103

I am trying to accomplish the following

If a machine is connected to eth1 over a switch, It should be able to ping 192.168.1.10 which

 [Modem+Router 10.1.1.0/24]
   |
   |
   |
 (eth0)                  |----- [ Server 192.168.1.10]
 Ubuntu                  |
Firewall (eth1) ----- [Switch]-----[Modem+Router 192.168.1.0/24]
         (eth1:0)--------| \
                            \
                             \--------[EndPoint 192.168.2.4]

My fundamental problem lies in the fact that I receive packets coming from 2.4 that are destined for the internet and I am able to route them properly using IpTables. Whereas, If a packet arrives for 1.10, I am supposed to send it back to the switch with the appropriate options set.

I have tried the following

  • setting the default gateway for 1.0 to be 2.1 at 2.4 and set the next hop as 1.1 which i hoped would do the right forwarding
  • I have also bridged eth1 and eth1:0 using bridge-utils and then applied iptables forwarding for anyone in 2.X wanting to go out to the internet from 10.10.0.1
Hitesh Dharamdasani
  • 133
  • 1
  • 4
  • 1
    1) Should `eth1:0` be `*192*.168.1.103`? 2) Addresses are useless without netmasks/prefixes, please add them. 3) "*If a packet arrives for 1.10...*"; yes, but *from where*? 4) You mention setting a route on 2.4 for 1.0/?? via 2.1, but 2.1 does not appear on the diagram. By and large, this question would be improved by a big dose of **show, not tell** - show us examples of PINGs / TCP attempts that do/don't work, instead of just saying what you think you can and can't do. – MadHatter Dec 17 '15 at 09:32

1 Answers1

3

Your configuration generally should work out of the box. Routing in principle is supported by Linux routing code and has nothing to do with Netfilter. "iptables" is userspace utility for configuration of kernel Netfilter framework, which do filtering and packet modification (mangling and address translation), but does not do any routing. So it is incorrect to say "I route using iptables".

Bridging is also different sort of things and isn't supposed to help you here. Bridging of aliased interfaces probably should make a loop and thus break networking in that ethernet segment.

You need routes on both sides, for example, ip route add 192.168.2.0/24 via 192.168.1.103 on hosts in 192.168.1.0/24 network and set up 192.168.2.1 as default gateway on hosts in 192.168.2.0/24 network.

If you have tightly set firewall on firewall box, you need to enable forwarding of traffic from eth1 to eth1:1 and back:

iptables -A FORWARD -i eth1 -o eth1:0 -j ACCEPT
iptables -A FORWARD -o eth1 -i eth1:0 -j ACCEPT

Or you might need only one first rule, if you alredy have configured stateful firewall with iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT or with -m state (obsolete).

Special iptables configuration is only needed if you want to masquerade that traffic, for hosts in 192.168.1.0/24 to not know that you are connecting from 192.168.2.0/24 network. Then you not need any additional routes on .1.0/24 side, but need NAT rule and forward enable rule:

iptables -t nat -A POSTROUTING -o eth1:1 -s 192.168.2.0/24 -o 192.168.1.0/24 -j SNAT --to-source 192.168.1.103
iptables -A FORWARD -i eth1 -o eth1:0 -j ACCEPT
Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • Thanks @Nikita. The `iptables -A FORWARD -i eth1 -o eth1:0 -j ACCEPT iptables -A FORWARD -o eth1 -i eth1:0 -j ACCEPT` is what i was missing, And you are right. The bridging did not help because it should not. – Hitesh Dharamdasani Dec 17 '15 at 12:53