Ubuntu gateway port forwarding on two networks

[mornsen]

I am trying to make a license server (w/ static IP) on network1 accessible for all clients in network2.

Setup:

I am using an ubuntu server as gateway between the two networks

network1: 11.49.X.X Subn: 255.255.240.0
network2: 10.48.0.X Subn: 255.255.255.0
The license server is located at 11.49.14.213 (netw1)

The gateway has two network cards installed: eth0: 11.49.9.250 [netw1] & eth1: 10.48.0.1 [netw2] and is working as DHCP server for network2.

To realize the port forwarding I use iptables with following commands:

Code:

#iptables –t nat –A PREROUTING –p tcp –i eth1 –d 10.48.0.1 --dport 1947 –j DNAT --to 11.49.14.213
#iptables –t nat –A POSTROUTING –p tcp -d 11.49.14.213 -j MASQUERADE
#iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 1947 -j ACCEPT

note: I changed the default policys to ACCEPT - so there should be no need to fiddle around with the filter rules while testing. Also, I applied the previous rules as well for udp.

The Problem:

Just for testing purposes, I ran a web server on the license server as well (of course applied the upper rule with port 80 then) - this works! ... i also can access port 1947 via cmd and telnet from the clients.

The problem is just the license server is not responding.

Are the rules correct? Do I need something else? like SNAT or is masquerading enough?

An other aspect is that, before I started, I changed network2 from 192.168.0.X to the currently applied 10.48.0.X . Before I changed this the port forwarding worked!

I did the network change via /etc/network/interfaces to:

Code:

auto eth1
iface eth1 inet static
    address 10.48.0.1
    netmask 255.255.255.0

...and the /etc/dhcp3/dhcpd.conf to:

Code:

subnet 10.48.0.0 netmask 255.255.255.0 {
  range 10.48.0.100 10.48.0.199;
  option routers 10.48.0.1;
  option domain-name-servers 10.48.0.1;
  option subnet-mask 255.255.255.0;
}

and restarted both services.

route gives me:

Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.48.0.0       *               255.255.255.0   U     0      0        0 eth1
11.49.0.0       *               255.255.240.0   U     0      0        0 eth0

Is there anything else I should have changed on the gateway ?
anything I could have missed out while changing the networks ?
Are the iptable rules correct at all ?
and is it correct that I dont have to care about the INPUT/OUTPUT/FORWARD chains, as long as the default policy is set to ACCEPT ?

best regards and thank you for your time

M.

[Kloschüssel]

1] Does the license server need the IP or MAC address of the computer requesting a license to decide whether the host has a valid or invalid license?

If so, NAT can't work for you.

2] If you use NAT, the gateway is the one who answers your license requests since he masquerades the license server.

So, all requests to the license server (11.49.14.213) have to be sent to 10.48.0.1 for all hosts out of the subnet 10.48.0.0/24.

3] Would a simple route on the gateway be enough? The gateway should be able to route packets from 10.48.0.0/24 to the other network and back.

See "man route" for more information.

Cheers

[mornsen]

thank you for your reply.

the license server does not need mac or ip adresses ... as soon as the client is reaching the server it should work.

My problem in the moment is that I get totaly confused with the whole routing thing.

since iam using ubuntu server my question is ... where shall I put which gateway information?

Just to clarify the problem:
My ubuntu gateway is the DHCP server for network 2 - In network 1 my ubuntu gateway is a regular DHCP client. I am not sure if I totally mix this up but I set in my /etc/networking/interfaces to :

Code:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
    address 11.49.8.250
    netmask 255.255.240.0
    gateway 11.49.10.101

# The secondary network interface
auto eth1
iface eth1 inet static
    address 10.48.0.1
    netmask 255.255.255.0
    gateway 10.48.0.1

Is that correct?

[Kloschüssel]

where shall I put which gateway information?

I can't answer this question because there are more than one possible solutions. But I would like to encourage you to learn how iptables and the kernel work together when it comes to routing decisions.

Is that correct?

I suppose it is? But since the gateway of the subnet 11.49.8.0/20 is 11.49.10.101, 11.49.10.101 has to learn that packets for 10.48.0.0/24 have to be routed through 11.49.8.250. I.e. something like:

Code:

% route add 10.48.0.0/24 11.49.8.250

[mornsen]

I am currently reading stuff ... but it all confuses me ... also its not helping that ubuntu seems to handle it different than other linux distributions.

when I do

Code:

sudo route add 10.48.0.0/24 11.49.8.250
route: netmask 000000ff doesn't make sense with host route

when I do it w/o/ the netmask:
sudo route add 10.48.0.0 11.49.8.250
SIOCADDRT: No such device

I think thats my main point ... where shall I add the rules to - eth1 or eth0 ?

[Kloschüssel]

That doesnt work cause 11.49.8.250 is not a network device. See "man route" and please read that manual page carefully to understand the options and switches for that powerful command.

Cheers & good luck!

hint: route add -net 192.168.98.0 netmask 255.255.255.0 gw 192.168.99.1

[Lazydog]

First question is are there only 2 interfaces on this ubuntu box? If there is and you do not have to worry about outside traffic then all you need to do is turn on FORWARDing on the ubuntu box. Routing would be done automatically by the system.

Is there any need to use iptables at all? Do you require a firewall at all? If these are the only 2 connections then you shouldn't need any MASQ setup on this box unless on one of the networks there is a connection to the Internet then on that connection you should already have a firewall setup.

Posting a diagram of your network layout and the routing table of the ubuntu box would help a lot.