Find the answer to your Linux question:
Results 1 to 7 of 7
I am trying to make a license server (w/ static IP) on network1 accessible for all clients in network2. Setup: I am using an ubuntu server as gateway between the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2012
    Posts
    3

    Question Ubuntu gateway port forwarding on two networks


    I am trying to make a license server (w/ static IP) on network1 accessible for all clients in network2.

    Setup:

    I am using an ubuntu server as gateway between the two networks

    network1: 11.49.X.X Subn: 255.255.240.0
    network2: 10.48.0.X Subn: 255.255.255.0
    The license server is located at 11.49.14.213 (netw1)

    The gateway has two network cards installed: eth0: 11.49.9.250 [netw1] & eth1: 10.48.0.1 [netw2] and is working as DHCP server for network2.

    To realize the port forwarding I use iptables with following commands:

    Code:
    #iptables –t nat –A PREROUTING –p tcp –i eth1 –d 10.48.0.1 --dport 1947 –j DNAT --to 11.49.14.213
    #iptables –t nat –A POSTROUTING –p tcp -d 11.49.14.213 -j MASQUERADE
    #iptables -A FORWARD -p tcp -i eth1 -o eth0 --dport 1947 -j ACCEPT
    note: I changed the default policys to ACCEPT - so there should be no need to fiddle around with the filter rules while testing. Also, I applied the previous rules as well for udp.

    The Problem:

    Just for testing purposes, I ran a web server on the license server as well (of course applied the upper rule with port 80 then) - this works! ... i also can access port 1947 via cmd and telnet from the clients.

    The problem is just the license server is not responding.

    Are the rules correct? Do I need something else? like SNAT or is masquerading enough?

    An other aspect is that, before I started, I changed network2 from 192.168.0.X to the currently applied 10.48.0.X . Before I changed this the port forwarding worked!

    I did the network change via /etc/network/interfaces to:

    Code:
    auto eth1
    iface eth1 inet static
        address 10.48.0.1
        netmask 255.255.255.0
    ...and the /etc/dhcp3/dhcpd.conf to:

    Code:
    subnet 10.48.0.0 netmask 255.255.255.0 {
      range 10.48.0.100 10.48.0.199;
      option routers 10.48.0.1;
      option domain-name-servers 10.48.0.1;
      option subnet-mask 255.255.255.0;
    }
    and restarted both services.

    route gives me:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    10.48.0.0       *               255.255.255.0   U     0      0        0 eth1
    11.49.0.0       *               255.255.240.0   U     0      0        0 eth0
    Is there anything else I should have changed on the gateway ?
    anything I could have missed out while changing the networks ?
    Are the iptable rules correct at all ?
    and is it correct that I dont have to care about the INPUT/OUTPUT/FORWARD chains, as long as the default policy is set to ACCEPT ?

    best regards and thank you for your time

    M.
    Last edited by mornsen; 01-23-2012 at 02:14 PM.

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    1] Does the license server need the IP or MAC address of the computer requesting a license to decide whether the host has a valid or invalid license?

    If so, NAT can't work for you.

    2] If you use NAT, the gateway is the one who answers your license requests since he masquerades the license server.

    So, all requests to the license server (11.49.14.213) have to be sent to 10.48.0.1 for all hosts out of the subnet 10.48.0.0/24.

    3] Would a simple route on the gateway be enough? The gateway should be able to route packets from 10.48.0.0/24 to the other network and back.

    See "man route" for more information.

    Cheers
    Last edited by Kloschüssel; 01-24-2012 at 06:20 AM. Reason: fix typo

  3. #3
    Just Joined!
    Join Date
    Jan 2012
    Posts
    3
    thank you for your reply.

    the license server does not need mac or ip adresses ... as soon as the client is reaching the server it should work.

    My problem in the moment is that I get totaly confused with the whole routing thing.

    since iam using ubuntu server my question is ... where shall I put which gateway information?

    Just to clarify the problem:
    My ubuntu gateway is the DHCP server for network 2 - In network 1 my ubuntu gateway is a regular DHCP client. I am not sure if I totally mix this up but I set in my /etc/networking/interfaces to :
    Code:
    # The loopback network interface
    auto lo
    iface lo inet loopback
    
    # The primary network interface
    auto eth0
    iface eth0 inet static
        address 11.49.8.250
        netmask 255.255.240.0
        gateway 11.49.10.101
    
    # The secondary network interface
    auto eth1
    iface eth1 inet static
        address 10.48.0.1
        netmask 255.255.255.0
        gateway 10.48.0.1
    Is that correct?

  4. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    where shall I put which gateway information?
    I can't answer this question because there are more than one possible solutions. But I would like to encourage you to learn how iptables and the kernel work together when it comes to routing decisions.

    Is that correct?
    I suppose it is? But since the gateway of the subnet 11.49.8.0/20 is 11.49.10.101, 11.49.10.101 has to learn that packets for 10.48.0.0/24 have to be routed through 11.49.8.250. I.e. something like:

    Code:
    % route add 10.48.0.0/24 11.49.8.250

  5. #5
    Just Joined!
    Join Date
    Jan 2012
    Posts
    3
    I am currently reading stuff ... but it all confuses me ... also its not helping that ubuntu seems to handle it different than other linux distributions.

    when I do
    Code:
    sudo route add 10.48.0.0/24 11.49.8.250
    route: netmask 000000ff doesn't make sense with host route
    when I do it w/o/ the netmask:
    sudo route add 10.48.0.0 11.49.8.250
    SIOCADDRT: No such device

    I think thats my main point ... where shall I add the rules to - eth1 or eth0 ?

  6. #6
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    That doesnt work cause 11.49.8.250 is not a network device. See "man route" and please read that manual page carefully to understand the options and switches for that powerful command.

    Cheers & good luck!

    hint: route add -net 192.168.98.0 netmask 255.255.255.0 gw 192.168.99.1

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    First question is are there only 2 interfaces on this ubuntu box? If there is and you do not have to worry about outside traffic then all you need to do is turn on FORWARDing on the ubuntu box. Routing would be done automatically by the system.

    Is there any need to use iptables at all? Do you require a firewall at all? If these are the only 2 connections then you shouldn't need any MASQ setup on this box unless on one of the networks there is a connection to the Internet then on that connection you should already have a firewall setup.

    Posting a diagram of your network layout and the routing table of the ubuntu box would help a lot.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •