Find the answer to your Linux question:
Results 1 to 9 of 9
Hi I'm new to Using to IPTABLES and need some help I've and External connection with a static ip to my ISP then i've two internal subnets both in 10.69.16.0/23 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2008
    Posts
    4

    Question Iptables Routing 10.69.16.0 to 10.69.18.0


    Hi I'm new to Using to IPTABLES and need some help
    I've and External connection with a static ip to my ISP then i've two internal subnets both in 10.69.16.0/23 (eth0) and 10.69.18.0/23(eth1) range. Each subnet has a NIC of the firewall in the different ranges, no ip aliasing used.
    I know how to set up the nat to the web,
    I need to be able to set up rules to forward packets between the two subnets.
    i've tried to set rules on the forward chain but they didn't work

    iptables -A FORWARD -d 10.69.16.0/23 -o eth0 -j ACCEPT

    iptables -A FORWARD -d 10.69.18.0/23 -o eth1 -j ACCEPT

    I even had the forward policy to accept but no joy pinging between the subnets.
    where am i going wrong????
    Thanks in advance
    Mark

  2. #2
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    should it be /24 instead of /23? thats the only obvious thing I can think of

  3. #3
    Just Joined!
    Join Date
    Jan 2008
    Posts
    4

    Not it

    I'm using the /23 to give 512 addresses per range

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    except since this is ipv4 you are limited to 256 addresses

  6. #5
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,761
    Your IP ranges are fine - and based on /23 and CIDR, your subnets have ~512 machine ID's...

    From your description, it sounds like you have a gateway/router with 3 NIC's, where one goes to the WAN, and the other 2 are the internal subnets.

    I think the source of your issues is in the rules you have set up for outgoing/masquerade packets. Are your rules checking the destination subnet before applying masquerade rules? I know most tutorials on iptables gateways just have rules that say "if a packet is going internal to internet, pass to the WAN interface." Your rules would need to check and see if the destination is the other internal subnet first.

    The best troubleshooting would be to create a LOG rule so that you can ping and then check the log to see where/why the packet was blocked/dropped.

    You may also want to look at a diagram of packet flow thru iptables.

    HTH.

  7. #6
    Just Joined!
    Join Date
    Jan 2008
    Posts
    4

    Re: Thanks

    Thanks for your help but i've flushed the tables while testing the interconnection between the subnets,
    so there is no interferance from other rules.
    if the filter table is set to ACCEPT as the policy then should the box forward the packets crossing the subnets.
    I've tried this and still no joy, i thought this would let un-restricted forwarding between the subnets, i'm beinging to think would it be somethin to do with the routing on the box
    Destination Gateway Genmask Flags Metric Ref Use Iface
    10.69.16.0 * 255.255.255.0 U 0 0 0 eth2
    10.69.18.0 * 255.255.255.0 U 0 0 0 eth1
    10.2.0.0 * 255.255.0.0 U 0 0 0 eth0
    169.254.0.0 * 255.255.0.0 U 0 0 0 eth2
    default 10.2.0.1 0.0.0.0 UG 0 0 0 eth0

    The 10.2.0.0 is currently the box's connection to the internet but this can be ignored as it'll be gone soon, it will have an external address and natting the two 10.69.xx.xx through. The card with 169.254.0.0 is just spare and going to be used as a DMZ in the near future, Hoping to migrate servers over to this some time soon when we get an ip allocation.
    All help appreciated

  8. #7
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,761
    You're only posting little pieces and I think your issue is in the bigger picture...

    1) You *said* the 2 subnets you are using are /23, but in the routing table eth1 and eth2 show they are configured as /24 network members - the mask should be 255.255.254.0 on both.

    2) Otherwise, the routing table is fine.

    The bigger picture: I'll call the 3 NIC machine the "server" and then I'll call a machine on the 10.69.16.0/23 subnet "Client_A", and another machine on the 10.69.18.0/23 subnet "Client_B"...

    A) What is the ifconfig on Client_A? Is the gateway for Client_A = eth2 on the Server?

    B) Same for Client_B - is its gateway = eth1 on the Server? (Alternatively, there could also be a static route on the clients that point to the server as the gateway to reach the other subnet.)

    C) Are all of the iptables chains set to ACCEPT and all the rules flushed with something like iptables -F?

    D) Is ip_forwarding enabled in the kernel? Cat it or echo 1 into /proc/sys/net/ipv4/ip_forward. (This setting won't stay if you reboot.)

    Given that your NIC's are configured correctly (IP/mask/gateway) and that A, B, C, and D are correct, then data sent from Client_A should reach Client_B.

  9. #8
    Just Joined!
    Join Date
    Jan 2008
    Posts
    4

    Thanks Got It

    Hey HROAdmin26
    Just wanna say thanks and show the respect owed to you got that working now fully.
    Cheers for pointing out the typo on the subnet masks two (the result of two many late nites)
    turned out to be ipv4 forwarding was off.
    Thanks for your patience and help
    Regards
    Mark

  10. #9
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,761
    No problem - glad it's working for you.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •