Find the answer to your Linux question:
Results 1 to 10 of 10
Hi all, I am having a lot of problems with getting my iptables to behave as I want them to. I have read quite a bit about how to use ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6

    iptables struggles. One LAN, two WAN


    Hi all,

    I am having a lot of problems with getting my iptables to behave as I want them to. I have read quite a bit about how to use iptables and have been more confused afterwards as a rule. :-/

    I have NAT working, and finally now have it routing through specific WAN interfaces depending on which LAN IP address the packet is coming from. I now have two main issues remaining:

    1. I have had to put an entry in crontab that checks that the default route is still correct, and resets it if not, as the default route keeps being changed back to eth0 (it should be eth2) and I have no idea why.

    2. I would really like to route packets on certain ports via certain WAN interfaces. eg: Put all port 25 and 110 through eth2 so that email uses the slower Internet connection that doesn't charge by the MB.

    A quick description of my network layout:
    -The NAT server is running Cent OS 5.
    -eth0 is my fast (alright, not so slow) Internet connection. It has a small data limit and charges $0.30/MB after reaching that limit. Don't want to use this much! Last bill (before I realised that the default route was resetting itself) was $1,800.
    -eth1 is my internal LAN. Multiple computers, some need fast access, some not. Want all of them to use the slow access for email and browsing to certain sites (youtube anyone?).
    -eth2 is the slow Internet. Just above dialup speed, but reliable and no limit on data usage. All heavy users and time non-sensitive goes through this.

    I am more that happy to post my iptables rules etc that I am using, along with any other relevant info. I personally feel that problem number 1 needs to be dealt with before we can really deal with anything else, but I will bow to superior knowledge.

    Awaiting your replies...

  2. #2
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6

    Update

    Thanks everyone for swamping me with your replies (I received none). I didn't realise that mine were such difficult questions.

    When typing in my query above I thought of different wording for my Google queries in regard to the default route.

    It turns out that unless you set a default route in /etc/sysconfig/network Linux will set the last interface to come up as the default route. Beats me why it would keep changing itself though. Seems to be a good idea to remove any default route from /etc/sysconfig/network-scripts/ifcfg-* too.

    Still stuck on the routing by port though. Keep in mind I do not want to port forward (or do I?).

    Any help on this one?

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    It's not that it is difficult question, just time consuming.
    What are you wanting to route out the fast WAN port?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6
    Hi Robert,

    Thanks for answering. I am wanting all traffic from some computers and all email, no matter what computer it is from, to go through the slow WAN, with the remainder of traffic to go through the fast WAN.

    At the moment I have the default route set to the slow WAN, with specific ip rules putting certain computers (recognised by IP address) through the fast WAN.

    All I am looking for is a working example rule to forward, for example, port 25 through the slow WAN even if the default route for that particular computer is the fast WAN. If I must put these rules in a particular order then that too would be appreciated. My plan is to then modify them to do the same with other ports as needed.

    Thanks for your help

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by compever View Post
    At the moment I have the default route set to the slow WAN, with specific ip rules putting certain computers (recognised by IP address) through the fast WAN.
    I would be interested in how you are doing this.
    What or how are you doing this today?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6

    Current setup details.

    I am using CentOS 5 with a modified version (so as to support two WAN interfaces) of a firewall script I found doing the NAT. I initially removed most comments and blank lines from it to save space here, but found it to be much harder t read, so I have left most in.

    Code:
    # External (Internet-facing) interface
    EXTIF1="eth2"
    EXTIF2="eth0"
    # External Internet router
    EXTIPR2="10.0.0.138"
    
    # External interface names
    EXTNAME2="Bigpond"
    EXTNAME1="Clearnetworks"
    
    # External IP address (automatically detected)
    EXTIP1=$(/sbin/ip addr show dev "$EXTIF1" | perl -lne 'if(/inet (\S+)/){print$1;last}');
    
    # External IP address (automatically detected)
    EXTIP2=$(/sbin/ip addr show dev "$EXTIF2" | perl -lne 'if(/inet (\S+)/){print$1;last}');
    
    # Internal interface
    INTIF="eth1"
    
    # Internal IP address (in CIDR notation)
    INTIP="192.168.1.1/32"
    
    # Internal network address (in CIDR notation)
    INTNET="192.168.1.0/24"
    
    # The address of anything/everything (in CIDR notation)
    UNIVERSE="0.0.0.0/0"
    
    echo "External-1: [Interface=$EXTIF1] [IP=$EXTIP1] [Name=$EXTNAME1]"
    echo "External-2: [Interface=$EXTIF2] [IP=$EXTIP2] [Name=$EXTNAME2]"
    echo "Internal: [Interface=$INTIF] [IP=$INTIP] [Network:$INTNET]"
    
    echo
    echo -n "Loading rules..."
    
    # Enabling IP forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    /sbin/iptables-restore <<-EOF;
    
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    ###################################################
    # INPUT: Incoming traffic from various interfaces #
    ###################################################
    
    # Loopback interface is valid
    -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # Local interface, local machines, going anywhere is valid
    -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
    
    # Remote interface, claiming to be local machines, IP spoofing, get lost
    -A INPUT -i $EXTIF1 -s $INTNET -d $UNIVERSE -j REJECT
    -A INPUT -i $EXTIF2 -s $INTNET -d $UNIVERSE -j REJECT
    
    # External interface, from any source, for ICMP traffic is valid
    -A INPUT -i $EXTIF1 -p ICMP -s $UNIVERSE -d $EXTIP1 -j ACCEPT
    -A INPUT -i $EXTIF2 -p ICMP -s $UNIVERSE -d $EXTIP2 -j ACCEPT
    
    # Allow any related traffic coming back to the MASQ server in.
    -A INPUT -i $EXTIF1 -s $UNIVERSE -d $EXTIP1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -i $EXTIF2 -s $UNIVERSE -d $EXTIP2 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
    # Internal interface, DHCP traffic accepted
    -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
    -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
    
    # External interface, HTTP/HTTPS traffic allowed
    -A INPUT -i $EXTIF1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP1 --dport 80 -j ACCEPT
    -A INPUT -i $EXTIF1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP1 --dport 443 -j ACCEPT
    -A INPUT -i $EXTIF2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP2 --dport 80 -j ACCEPT
    -A INPUT -i $EXTIF2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP2 --dport 443 -j ACCEPT
    
    # External interface, SSH traffic allowed
    #-A INPUT -i $EXTIF1 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP1 --dport 22 -j ACCEPT
    #-A INPUT -i $EXTIF2 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP2 --dport 22 -j ACCEPT
    
    # Accept port 1234 to be forwarded (this rule needs to correspond with PREROUTING rules in NAT table)
    #-A FORWARD -i $EXTIF1 -o $INTIF -p tcp --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    
    # Catch-all rule, reject anything else
    -A INPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
    
    ####################################################
    # OUTPUT: Outgoing traffic from various interfaces #
    ####################################################
    
    # Workaround bug in netfilter
    -A OUTPUT -m conntrack -p icmp --ctstate INVALID -j DROP
    
    # Loopback interface is valid.
    -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
    
    # Local interfaces, any source going to local net is valid
    -A OUTPUT -o $INTIF -s $EXTIP1 -d $INTNET -j ACCEPT
    -A OUTPUT -o $INTIF -s $EXTIP2 -d $INTNET -j ACCEPT
    
    # local interface, MASQ server source going to the local net is valid
    -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
    
    # outgoing to local net on remote interface, stuffed routing, deny
    -A OUTPUT -o $EXTIF1 -s $UNIVERSE -d $INTNET -j REJECT
    -A OUTPUT -o $EXTIF2 -s $UNIVERSE -d $INTNET -j REJECT
    
    # anything else outgoing on remote interface is valid
    -A OUTPUT -o $EXTIF1 -s $EXTIP1 -d $UNIVERSE -j ACCEPT
    -A OUTPUT -o $EXTIF2 -s $EXTIP2 -d $UNIVERSE -j ACCEPT
    
    # Internal interface, DHCP traffic accepted
    -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
    -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
    
    # Catch all rule, all other outgoing is denied and logged.
    -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j REJECT
    
    # Accept solicited tcp packets
    -A FORWARD -i $EXTIF1 -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT
    -A FORWARD -i $EXTIF2 -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED  -j ACCEPT
    
    # Allow packets across the internal interface
    -A FORWARD -i $INTIF -o $INTIF -j ACCEPT
    
    # Forward packets from the internal network to the Internet
    -A FORWARD -i $INTIF -o $EXTIF1 -j ACCEPT
    -A FORWARD -i $INTIF -o $EXTIF2 -j ACCEPT
    
    # Catch-all REJECT rule
    -A FORWARD -j REJECT
    
    COMMIT
    
    ###########################
    # Address translations (only; there is no actual forwarding done here)
    ###########################
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    
    # ----- Begin OPTIONAL FORWARD Section -----
    
    #Optionally forward incoming tcp connections on port 1234 to 192.168.0.100
    #-A PREROUTING -p tcp -d $EXTIP1 --dport 1234 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.0.100:1234
    
    # ----- End OPTIONAL FORWARD Section -----
    
    # IP-Masquerade
    -A POSTROUTING -o $EXTIF1 -j MASQUERADE
    -A POSTROUTING -o $EXTIF2 -j MASQUERADE
    
    COMMIT
    EOF
    I then run a file I created myself:

    Code:
    # Remove all default routes
    # This was done back when the default route kept resetting itself.
    ip route del default via 192.168.5.100
    ip route del default via 10.0.0.138
    
    # Create the table to allow access through the fast Internet
    ip route add default via 10.0.0.138 dev eth0 table 1 #Telstra
    
    # Create the table to allow access through the slower Internet
    # to be specified if we so desire
    ip route add default via 192.168.5.100 dev eth2 table 2 #Clearnetworks
    
    # Now add the default route that we actually want to use (via sat)
    ip route add default via 192.168.5.100 dev eth2
    
    # Allow the virtual computers (that need it) to use the fast Internet
    ip rule add from 192.168.1.80 table 1
    ip rule add from 192.168.1.81 table 1
    ip rule add from 192.168.1.82 table 1
    
    # Person 1
    ip rule add from 192.168.1.71 table 1
    
    # Person 2's iPhone
    ip rule add from 192.168.1.70 table 1
    
    # Person 3's laptop
    ip rule add from 192.168.1.96 table 1
    
    # Trash all cached records of routes
    ip route flush cache
    Both of these files are called by rc.local, in the order shown.

    I have a DHCP server set up to hand out the correct IP addresses to the relevant computers, specified by MAC address. If I can do the routing by MAC address rather than by IP address that would be preferred, but I have not even looked into that one. Not until routing by port is working.

    Eagerly awaiting your reply, and hoping I didn't dump too much info.

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Routing is done by IP Address not ports. Sure you can manipulate the packets with iptables but the packets are still going to be routed by their IP Addresses. Sure you could probably do it, but the headachs aren't worth it to me. I see what all that fancy routing does at work and the troubles it causes so I'm not even going to walk down that path. Sorry.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #8
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6
    Hi Robert,

    Oh well. Thanks anyway. I hear what you say about complexity etc, but I would really like to learn.

    Any other takers?

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Here is the biggest problem, you are going to have to know what the ip addresses are going to be of the end points in order to add then to the routing tables to allow then to then use the faster connection.

    If you really want to do this then make the fast network the default route and add routes for the destination sites you want to use the slow connection.

    This way the ip addresses that you want to be on the slow connection will always be there and everything else will use the fast connection.

    Trying to do things with ports is only going to be a headache.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined!
    Join Date
    Feb 2010
    Posts
    6
    Thanks for the suggestion Robert.

    I won't be changing the default route to the fast Internet connection as this install will still occasionally put _everything_ through the default route. This is how my last excess data cost me $1800 for the month!

    This only started happening after I installed CentOS 5 as the OS, so this weekend that will be changing again. One of the things I have always liked about Linux is that once you set things, they stay that way. Not so apparently with Ubuntu, and now CentOS. At least I have found how to stop the auto side of Ubuntu.

    I won't bug you about the ports again. Well, probably not.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •