Find the answer to your Linux question:
Results 1 to 7 of 7
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Routing between two Nics Internally

    Hello another newbie to iptables here.

    I have a RH9 router (2 NICs) set up internally with one NIC (one subnet) regarded as unsafe.

    I do not wish to use NAT if i can help it, or maybe i do?

    I would like to have the safe side "eth0" able to access the other subnet with basically no rules at all. For the unsafe eth1 subnet i would like to lock it down to only accept, say, ftp file transfers from a specific PC.

    I have -P set to drop for FORWARD, INPUT, OUTPUT with a ICMP chain in forward that will let be open pinging between the two pc'c on either side but i only want traffic to basically go one way.

    I have RTFM but cannot find anything that talks about routing internally.

    Thanks in advance, and hope this makes sense to someone.


  2. #2
    Linux User
    Join Date
    Jan 2003
    Cardiff, Wales


    tcp/ip connections require data to be transmittable both ways as TCP is connection orientated. So there has to be some handshaking as the pcs establish a communication tunnel. this means that data must be able to travel both ways across your router. Although you only want the conversation to be initiated from the internal side.

    I would look at "firestarter" as it provides a nice wizard GUI for this kind of thing.

    Don't know if it will do everything you want out of the box. you will probably still need to set up some extra rules after the basic setup.

    good luck

    No trees were harmed during the creation of this message. Its made from a blend of elephant tusk and dolphin meat.

  3. #3
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    You have to use NAT to do this if you want to go through the router (which I'm assuming you do ). Basically, it can be done with a few simple rules:

    #makes everything seem to come from the router
    $IPTABLES -t nat -A POSTROUTING -j SNAT --to-source $eth1_IP
    #add ports to this for diff services
    $IPTABLES -A INPUT -o eth1 -d $safe_box_IP -dport 21 -m state --state NEW -j ACCEPT
    #accept all related/established connections
    Edit that to your liking and add it to your script, and you should be good to go (although it IS 5am and I might've forgotten something )
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  4. $spacer_open
  5. #4
    Thank you both very much for your replies.

    Kpzani: I had an inkling that maybe the case but......

    Somehow i got telnet to work in one direction with these rules.

    -P default DROP on all

    iptables -A FORWARD -p tcp --dport telnet -i eth0 -j ACCEPT
    iptables -A FORWARD -p tcp --sport telnet -o eth0 -j ACCEPT

    Unfortunatley i'm not really sure how i stumbled on this! Do these seem right to you guys?

    I will have a look at firestarter when I get the man off of my back. OH the pressure of it all!

    Sarumont: I also thought that NAT may have to be used, as i was bumbling around for a day and a half. I just thought it would be quicker for a newbie to do it without it. I needed to get this built for the Co. quickly... am flying blind really.

    Kpzani and Sarumont:

    Is there any really good books out there on Iptables? I am OK with linux but this is my first venture into using iptables...started to sink pretty quickly!

    Just a quickie:
    To throw files over to a share what ports do i need? 137,139 not sure of the NT authentication port?

    Thanks Guys

    owe you one.


  6. #5
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Those rules are right, though they don't allow for any restrictions. Here's a tut on IPTABLES that is pretty comprehensive:

    IPTABLES tut

    That should teach you all the basics of IPTABLES.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  7. #6
    Just Joined!
    Join Date
    May 2004
    Dordrecht, the Netherlands
    To do routing, you do not need NAT. You only need nat if you have one routable IP address and need to have all traffic appear to come from that one IP.

    There's a couple of things to consider:

    * clients need to know the route to the (untrusted) subnet. If the router is not the default gw of the subnet, aditional routing has to be defined. Often, it's easiest to do this on the default gw. Additionally, reverse ARP can be used to advertise the hosts on the untrusted (eth0) subnet to the eth1 subnet.

    * for routing, iptables is not the way to go. It mostly operates on another layer. Instead, use iproute2.

    Please read the lartc howto: It will enlighten you about how routing tables work internally and can be manipulated. As a primer into TCP/IP, I recommend TCP/IP Illustrated, Volume 1, by the late Richard Stevens.

  8. #7

    All you need to do is to enable forwarding in your box...

    echo 1 > /proc/sys/net/ipv4/ip_forward

    or set in in the /etc/sysctl.conf and run sysctl -p


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts