Find the answer to your Linux question:
Results 1 to 9 of 9
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Question Iptables Routing to

    Hi I'm new to Using to IPTABLES and need some help
    I've and External connection with a static ip to my ISP then i've two internal subnets both in (eth0) and range. Each subnet has a NIC of the firewall in the different ranges, no ip aliasing used.
    I know how to set up the nat to the web,
    I need to be able to set up rules to forward packets between the two subnets.
    i've tried to set rules on the forward chain but they didn't work

    iptables -A FORWARD -d -o eth0 -j ACCEPT

    iptables -A FORWARD -d -o eth1 -j ACCEPT

    I even had the forward policy to accept but no joy pinging between the subnets.
    where am i going wrong????
    Thanks in advance

  2. #2
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    NH, USA
    should it be /24 instead of /23? thats the only obvious thing I can think of

  3. #3

    Not it

    I'm using the /23 to give 512 addresses per range

  4. $spacer_open
  5. #4
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    NH, USA
    except since this is ipv4 you are limited to 256 addresses

  6. #5
    Your IP ranges are fine - and based on /23 and CIDR, your subnets have ~512 machine ID's...

    From your description, it sounds like you have a gateway/router with 3 NIC's, where one goes to the WAN, and the other 2 are the internal subnets.

    I think the source of your issues is in the rules you have set up for outgoing/masquerade packets. Are your rules checking the destination subnet before applying masquerade rules? I know most tutorials on iptables gateways just have rules that say "if a packet is going internal to internet, pass to the WAN interface." Your rules would need to check and see if the destination is the other internal subnet first.

    The best troubleshooting would be to create a LOG rule so that you can ping and then check the log to see where/why the packet was blocked/dropped.

    You may also want to look at a diagram of packet flow thru iptables.


  7. #6

    Re: Thanks

    Thanks for your help but i've flushed the tables while testing the interconnection between the subnets,
    so there is no interferance from other rules.
    if the filter table is set to ACCEPT as the policy then should the box forward the packets crossing the subnets.
    I've tried this and still no joy, i thought this would let un-restricted forwarding between the subnets, i'm beinging to think would it be somethin to do with the routing on the box
    Destination Gateway Genmask Flags Metric Ref Use Iface * U 0 0 0 eth2 * U 0 0 0 eth1 * U 0 0 0 eth0 * U 0 0 0 eth2
    default UG 0 0 0 eth0

    The is currently the box's connection to the internet but this can be ignored as it'll be gone soon, it will have an external address and natting the two 10.69.xx.xx through. The card with is just spare and going to be used as a DMZ in the near future, Hoping to migrate servers over to this some time soon when we get an ip allocation.
    All help appreciated

  8. #7
    You're only posting little pieces and I think your issue is in the bigger picture...

    1) You *said* the 2 subnets you are using are /23, but in the routing table eth1 and eth2 show they are configured as /24 network members - the mask should be on both.

    2) Otherwise, the routing table is fine.

    The bigger picture: I'll call the 3 NIC machine the "server" and then I'll call a machine on the subnet "Client_A", and another machine on the subnet "Client_B"...

    A) What is the ifconfig on Client_A? Is the gateway for Client_A = eth2 on the Server?

    B) Same for Client_B - is its gateway = eth1 on the Server? (Alternatively, there could also be a static route on the clients that point to the server as the gateway to reach the other subnet.)

    C) Are all of the iptables chains set to ACCEPT and all the rules flushed with something like iptables -F?

    D) Is ip_forwarding enabled in the kernel? Cat it or echo 1 into /proc/sys/net/ipv4/ip_forward. (This setting won't stay if you reboot.)

    Given that your NIC's are configured correctly (IP/mask/gateway) and that A, B, C, and D are correct, then data sent from Client_A should reach Client_B.

  9. #8

    Thanks Got It

    Hey HROAdmin26
    Just wanna say thanks and show the respect owed to you got that working now fully.
    Cheers for pointing out the typo on the subnet masks two (the result of two many late nites)
    turned out to be ipv4 forwarding was off.
    Thanks for your patience and help

  10. #9
    No problem - glad it's working for you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts