IP tables with 2 routers
So first let me explain the current situation:
I have 2 routers both with 5 network cards (both different subnets). On both machines I have the following configuration: Eth0 is the internet conection, Eth1 is the conection to the other router and the other network cards are for the subnets.
My current Ip tables script allows all the subnets of one router to see each other but not the subnets of the other router.
In the new situation I want not all but specific subnets to see each other (no problem here). The issue is that some of theese subnets are subnets of the other router. For example the subnet of eth2 on router1 should be able to connect to eth 3 on router2. This is were eth1 comes in play.
My plan was to configure iptables so that in above example eht2 would be forwarded to eth1, which will forward to eth1 on router2. Then the iptables configuration on router2 will forward it to the network card of the correct subnet.
eth2 (router1) -> eth1 (router1)
eth1 (router1) -> eth1 (router2)
eth1 (router2 -> eth3 (router2)
Now heres my problem: I dont know how to tell this to mr. iptables.
Im using a script to configure ip tables with rules like this:
-A POSTROUTING -o eth2 -s 192.168.10.0/24 -j MASQUERADE
Thanks for your time reading my long post and I would be very thankfull if you can help me out here.
PS. With subnets "seeing" each other I ofcourse mean be able to make a tcp conection between the subnets.
Masquerading is to do NAT. You don't need NAT to talk between your subnet. Instead, you have to NAT only cnx going to the Internet and don't NAT other.
e.g. in the NAT table, do -j ACCEPT to all your subnet to subnet cnx before doing your general NATing (MASQUERADE or SNAT/DNAT) to the Internet.
Now for your traffic to go to the right place, it's not the iptable job but it's a routing job. You can do special routing table base on source and destination subnet (see Linux Advanced Routing : Linux Advanced Routing &Traffic Control Manpages=)
Basicaly, you need to create several routing table, use 'ip rule' to select traffic and 'ip route'.
Some example to read :
LiNUX Horizon - Linux Advanced Routing mini HOWTO
You can also search google : linux destination based routing
Thanks for your reply RDU. Im using the iptables config file of the old situation, which is made by someone else. This guy has put all the subnets (including the internet conection one) in the nat table. It works fine so I thought to leave it that way.
I know it is posible to do with routing table but I thought it should be possible with ip tables too wich would be great becouse I would only have one script to admistrate. So are you saying it is impossible or are you just saying its more logic to do with the routing table?
Again, thanks for your time.
You should have all your subnet in the NAT table to allow them accessing internet but only when the destination IP is non local. When the source and destination are local (e.g. subnetA1 to SubnetB3, you should have no NAT (not mandatory but higly recommended to follow your traffic).
I'll do something like that :
on firewall A
-t nat -d subnetB1 -j ACCEPT
-t nat -d subnetB2 -j ACCEPT
-t nat -d subnetB3 -j ACCEPT
-t nat -j MASQUERADE
on firewall B
-t nat -d subnetA1 -j ACCEPT
-t nat -d subnetA2 -j ACCEPT
-t nat -d subnetA3 -j ACCEPT
-t nat -j MASQUERADE
I think it's not possible to do it without using routing (iptable only). But for the policy routing, you can use ip rule to select the correct routing table OR you can also use iptable to MARK the packet and then route on that mark. But in both case, you'll have ip route commands. Anyway, you can include them in the same script.
on firewall A :
iptables -t mangle -A PREROUTING -d subnetB1 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -d subnetB2 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -d subnetB3 -j MARK --set-mark 10
ip rule add prio 10 table 10 fwmark 10
ip route add default table 10 proto static nexthop via 192.168.x.x dev ethX
And same stuff on B.
This way, you MARK packet going to other firewall subnet with mark #10 and use a specific routing table (table #10) to define a different route that the one on the standard routing table.
Thanks so much for your help. Im not finished yet but its enough for today and I think that with the help you gave me I should do fine. :D
Thanks again RDU