0

I am trying to setup a layer 3 iptables firewall, with two interfaces.

My firewall has two physical interfaces : eno0, connected to my ISP's gateway, and eno1, connected to my local network gateway.

The network setup is described below:

ISP gateway: aaa.aaa.127.17
            |
            |
            | subnet: aaa.aaa.127.16/30
            |
            |
            | eno0: aaa.aaa.127.18
-----------------------------
|                           |
|       my firewall         |
|                           |
-----------------------------
            | eno1: 172.20.4.1
            |
            |
            | subnet: 172.20.4.0/30
            |
            |
            | 172.20.4.2
-----------------------------
|                           |
|     my local gateway      |
|                           |
-----------------------------
             | bbb.bbb.137.1
             |
             |
             | subnet: bbb.bbb.137.0/24
             |
             | 
 Laptop: bbb.bbb.137.20

(aaa.aaa.127.16/30 and bbb.bbb.137.1/24 are public IP ranges)

I am trying (unsuccessfully) to get internet access from my laptop. Currently, I have no filtering rules in iptables. So the problem lies in routing configuration.

I appended 1 rt2 at the end /etc/iproute2/rt_tables, and here is the relevant part of my /etc/network/interfaces:

auto eno0
iface eno0 inet static
    address aaa.aaa.127.18
    netmask 255.255.255.252
    gateway aaa.aaa.127.17

auto eno1
iface eno1 inet static
    address 172.20.4.1
    netmask 255.255.255.252
    post-up ip route add 172.20.4.0/30 dev eno1 src 172.20.4.1 table rt2
    post-up ip route add bbb.bbb.137.0/24 dev eno1 src 172.20.4.1 table rt2
    post-up ip route add default via 172.20.4.2 dev eno1 table rt2
    post-up ip rule add from 172.20.4.1/32 table rt2
    post-up ip rule add to 172.20.4.1/32 table rt2

On my local gateway, I have a static route that redirects all traffic to 172.20.4.1 (if the destination IP isn't in the ARP table).

From the firewall, I can ping:

  • my ISP gateway (aaa.aaa.127.17)
  • Google (8.8.8.8)
  • my local gateway (172.20.4.2)

However, the problem is I cannot ping my laptop (bbb.bbb.137.20) from the firewall.

From the laptop, I can ping my local gateway but not my firewall. From my local gateway, I can ping my firewall but not Google.

So it seems like my firewall does not know how to route traffic to bbb.bbb.137.0/24. What am I missing?

Any help is greatly appreciated.

oxley
  • 1
  • 2
  • 1
    Why are you using 2 routers - ```local gateway``` and ```firewall```? What OS/Device are you using on Firewall? – ALex_hha Sep 09 '17 at 15:40
  • My local gateway connects together 30+ switches, so it is where I want the local routing to occur (for many reasons, including hardware optimizations that makes it much, much faster than my firewall). As for the firewall, I would do without it if my local gateway's integrated firewall was better and supported NAT - which it does not. So I am afraid I need both. To answer your question, the firewall is a Dell server running Debian 9. Anyway, I figured it out as explained below. Thanks for your help! – oxley Sep 11 '17 at 20:58

1 Answers1

0

I eventually figured it out. I changed part of /etc/network/interfaces and it worked:

auto eno0
iface eno0 inet static
    address aaa.aaa.127.18
    netmask 255.255.255.252
    gateway aaa.aaa.127.17

auto eno1
iface eno1 inet static
    address 172.20.4.1
    netmask 255.255.255.252
    post-up ip route add bbb.bbb.137.0/24 via 172.20.4.2
    post-up ip route add 10.0.0.0/8 via 172.20.4.2
    post-up ip route add 192.168.0.0/16 via 172.20.4.2
    post-up ip route add 172.16.0.0/12 via 172.20.4.2

Also, there is no need to change /etc/iproute2/rt_tables.

oxley
  • 1
  • 2