-3

I'm build a local server cluster. 

 server2 eth0 IP:168.168.1.2 
              Gateway: 168.168.1.1
              NETMASK: 255.255.0.0 
 server3: eth0 IP:    168.168.1.3
               Gateway: 168.168.1.1
               NETMASK: 255.255.0.0
 server1: eth0 IP:  168.168.1.1
          eth0:1 IP x.x.x.x(provided by ISP)
                 GATWWAY x.x.x.x(provided by ISP)

I want to build the server1 as the gateway of subnet. And I can access the public network on server1 successfully. However, it fails on server2. I run the following commands on server1

 #iptables -t nat -F
 #iptables -t nat -A POSTROUTING -s 168.168.0.0/16  -o eth0:1 -j MASQUERADE
 #iptables -t nat -A POSTROUTING -o eth0:1 -j MASQUERADE

 #iptables -t nat -L

  Chain PREROUTING (policy ACCEPT)
  target     prot opt source               destination

  Chain POSTROUTING (policy ACCEPT)
  target     prot opt source               destination
  MASQUERADE  all  --  anywhere             anywhere

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination


  #iptables -L
  Chain INPUT (policy ACCEPT)
  target     prot opt source               destination

  Chain FORWARD (policy ACCEPT)
  target     prot opt source               destination
  ACCEPT     all  --  anywhere             anywhere

  Chain OUTPUT (policy ACCEPT)
  target     prot opt source               destination

  Chain LOGGING (0 references)
  target     prot opt source               destination

On server2

   #ping 173.194.127.240
   PING 173.194.127.240 (173.194.127.240) 56(84) bytes of data.
   From 168.168.1.1: icmp_seq=2 Redirect Host(New nexthop: x.x.x.x(ISP gateway))
   From 168.168.1.1: icmp_seq=3 Redirect Host(New nexthop: x.x.x.x(ISP gateway))
   From 168.168.1.1: icmp_seq=4 Redirect Host(New nexthop: x.x.x.x(ISP gateway))

    --- 173.194.127.240 ping statistics ---
   6 packets transmitted, 0 received, 100% packet loss, time 5950ms

What's wrong with my configuration on server1. How should I config the gateway using iptables? Many thanks

Arnab Nandy
  • 6,472
  • 5
  • 44
  • 50
user2256235
  • 295
  • 4
  • 15
  • a) this question is off-topic here and belongs to http://www.serverfault.com. Wait for it to be migrated there b) I am a sysadmin with some 20 years of experience and I would neither care or dare to fiddle with iptables directly because chances are that I do something wrong or stupid. I strongly suggest to use something like [Tom Eastep's excellent *Shorewall*](http://shorewall.net) or [firewalld](https://fedoraproject.org/wiki/FirewallD) (only for RedHat-like systems). For your use case, I'd use Shorewall all the way. – Markus W Mahlberg Nov 18 '15 at 08:41

1 Answers1

0

Using both a LAN and a WAN IP address on the same interface isn't a best practice. I'd recommend installing a new NIC for your WAN connection (e.g. eth1). Your configuration looks fine, just use eth1 in stead of eth0:1 after installing the new NIC.

eye-designs
  • 16